---
# Preliminary tasks that should always be run
# List users in order to look files inside each home directory
- name: "PRELIM | List users accounts"
  command: "awk -F: '{print $1}' /etc/passwd"
  register: passwd
  changed_when: no
  check_mode: no

- name: "PRELIM | List home directories"
  find:
      paths:
          - /home
      patterns:
          - '.bash_profile'
      depth: 2
      recurse: yes
      hidden: yes
  register: homes

- name: "PRELIM | Resolve home directories to usernames"
  command: "id -un {{ item }}"
  with_items: "{{ homes | json_query('files[*].path') | map('dirname') | map('basename') | list }}"
  changed_when: no
  check_mode: no
  ignore_errors: yes
  register: home_usernames

- name: "PRELIM | List all users"
  set_fact:
      users: "{{ list_passwd | union(list_homes) | unique }}"
  vars:
      list_passwd: "{{ passwd | json_query('stdout_lines') }}"
      list_homes: "{{ home_usernames.results | json_query('[*].stdout') }}"

- name: "PRELIM | Gather accounts with empty password fields"
  command: "awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}' /etc/shadow"
  register: empty_password_accounts
  changed_when: no
  check_mode: no

- name: "PRELIM | Gather UID 0 accounts other than root"
  command: "awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}' /etc/passwd"
  register: uid_zero_accounts_except_root
  changed_when: no
  check_mode: no

- name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
  yum:
      name: audit
      state: present

- name: "PRELIM | Section 5.1 | Configure cron"
  yum:
      name: cronie
      state: present

- name: "PRELIM | Check if prelink package is installed"
  command: rpm -q prelink
  args:
      warn: false
  register: prelink_installed
  changed_when: no
  failed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint

- name: "PRELIM | Check if postfix package is installed"
  command: rpm -q postfix
  args:
      warn: false
  register: postfix_installed
  changed_when: no
  failed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint

# Individual service checks
- name: "PRELIM | Check for xinetd service"
  shell: "systemctl show xinetd | grep LoadState | cut -d = -f 2"
  register: xinetd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for ntpd service"
  shell: "systemctl show ntpd | grep LoadState | cut -d = -f 2"
  register: ntpd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006


- name: "PRELIM | Check for chronyd service"
  shell: "systemctl show chronyd | grep LoadState | cut -d = -f 2"
  register: chronyd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for avahi-daemon service"
  shell: "systemctl show avahi-daemon | grep LoadState | cut -d = -f 2"
  register: avahi_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for cups service"
  shell: "systemctl show cups | grep LoadState | cut -d = -f 2"
  register: cups_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for dhcpd service"
  shell: "systemctl show dhcpd | grep LoadState | cut -d = -f 2"
  register: dhcpd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for slapd service"
  shell: "systemctl show slapd | grep LoadState | cut -d = -f 2"
  register: slapd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for nfs service"
  shell: "systemctl show nfs | grep LoadState | cut -d = -f 2"
  register: nfs_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for rpcbind service"
  shell: "systemctl show rpcbind | grep LoadState | cut -d = -f 2"
  register: rpcbind_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for named service"
  shell: "systemctl show named | grep LoadState | cut -d = -f 2"
  register: named_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for vsftpd service"
  shell: "systemctl show vsftpd | grep LoadState | cut -d = -f 2"
  register: vsftpd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for httpd service"
  shell: "systemctl show httpd | grep LoadState | cut -d = -f 2"
  register: httpd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for dovecot service"
  shell: "systemctl show dovecot | grep LoadState | cut -d = -f 2"
  register: dovecot_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for smb service"
  shell: "systemctl show smb | grep LoadState | cut -d = -f 2"
  register: smb_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for squid service"
  shell: "systemctl show squid | grep LoadState | cut -d = -f 2"
  register: squid_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for snmpd service"
  shell: "systemctl show snmpd | grep LoadState | cut -d = -f 2"
  register: snmpd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for ypserv service"
  shell: "systemctl show ypserv | grep LoadState | cut -d = -f 2"
  register: ypserv_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for rsh.socket service"
  shell: "systemctl show rsh.socket | grep LoadState | cut -d = -f 2"
  register: rsh_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for rlogin.socket service"
  shell: "systemctl show rlogin.socket | grep LoadState | cut -d = -f 2"
  register: rlogin_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for rexec.socket service"
  shell: "systemctl show rexec.socket | grep LoadState | cut -d = -f 2"
  register: rexec_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for telnet service"
  shell: "systemctl show telnet | grep LoadState | cut -d = -f 2"
  register: telnet_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for tftp service"
  shell: "systemctl show tftp | grep LoadState | cut -d = -f 2"
  register: tftp_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for rsyncd service"
  shell: "systemctl show rsyncd | grep LoadState | cut -d = -f 2"
  register: rsyncd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for ntalk service"
  shell: "systemctl show ntalk | grep LoadState | cut -d = -f 2"
  register: ntalk_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for autofs service"
  shell: "systemctl show autofs | grep LoadState | cut -d = -f 2"
  register: autofs_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006

- name: "PRELIM | Check for rhnsd service"
  shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
  register: rhnsd_service_status
  changed_when: no
  check_mode: no
  tags:
      - skip_ansible_lint #  ANSIBLE0006