- name: "NOTSCORED | 6.1.1 | PATCH | Audit system file permissions" command: /bin/true changed_when: no when: - rhel7cis_rule_6_1_1|bool tags: - level2 - patch - rule_6.1.1 - notimplemented - name: "SCORED | 6.1.2 | PATCH | Ensure permissions on /etc/passwd are configured" file: dest: /etc/passwd owner: root group: root mode: 0644 when: - rhel7cis_rule_6_1_2|bool tags: - level1 - level2 - patch - rule_6.1.2 - name: "SCORED | 6.1.3 | PATCH | Ensure permissions on /etc/shadow are configured" file: dest: /etc/shadow owner: root group: root mode: 0000 when: - rhel7cis_rule_6_1_3|bool tags: - level1 - level2 - patch - rule_6.1.3 - name: "SCORED | 6.1.4 | PATCH | Ensure permissions on /etc/group are configured" file: dest: /etc/group owner: root group: root mode: 0644 when: - rhel7cis_rule_6_1_4|bool tags: - level1 - level2 - patch - rule_6.1.4 - name: "SCORED | 6.1.5 | PATCH | Ensure permissions on /etc/gshadow are configured" file: dest: /etc/gshadow owner: root group: root mode: 0000 when: - rhel7cis_rule_6_1_5|bool tags: - level1 - level2 - patch - rule_6.1.5 - name: "SCORED | 6.1.6 | PATCH | Ensure permissions on /etc/passwd- are configured" file: dest: /etc/passwd- owner: root group: root mode: 0600 when: - rhel7cis_rule_6_1_6|bool tags: - level1 - level2 - patch - rule_6.1.6 - name: "SCORED | 6.1.7 | PATCH | Ensure permissions on /etc/shadow- are configured" file: dest: /etc/shadow- owner: root group: root mode: 0000 when: - rhel7cis_rule_6_1_7|bool tags: - level1 - level2 - patch - rule_6.1.7 - name: "SCORED | 6.1.8 | PATCH | Ensure permissions on /etc/group- are configured" file: dest: /etc/group- owner: root group: root mode: 0600 when: - rhel7cis_rule_6_1_8|bool tags: - level1 - level2 - patch - rule_6.1.8 - name: "SCORED | 6.1.9 | PATCH | Ensure permissions on /etc/gshadow- are configured" file: dest: /etc/gshadow- owner: root group: root mode: 0600 when: - rhel7cis_rule_6_1_9|bool tags: - level1 - level2 - patch - rule_6.1.9 - name: "SCORED | 6.1.10 | PATCH | Ensure no world writable files exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_1_10|bool tags: - level1 - level2 - patch - rule_6.1.10 - notimplemented - name: "SCORED | 6.1.11 | PATCH | Ensure no unowned files or directories exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_1_11|bool tags: - level1 - level2 - patch - rule_6.1.11 - notimplemented - name: "SCORED | 6.1.12 | PATCH | Ensure no ungrouped files or directories exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_1_12|bool tags: - level1 - level2 - patch - rule_6.1.12 - notimplemented - name: "NOTSCORED | 6.1.13 | PATCH | Audit SUID executables" command: /bin/true changed_when: no when: - rhel7cis_rule_6_1_13|bool tags: - level1 - level2 - patch - rule_6.1.13 - notimplemented - name: "NOTSCORED | 6.1.14 | PATCH | Audit SGID executables" command: /bin/true changed_when: no when: - rhel7cis_rule_6_1_14|bool tags: - level1 - level2 - patch - rule_6.1.14 - notimplemented - name: "SCORED | 6.2.1 | PATCH | Ensure password fields are not empty" command: passwd -l {{ item }} changed_when: no failed_when: no with_items: "{{ empty_password_accounts.stdout_lines }}" when: - empty_password_accounts.rc - rhel7cis_rule_6_2_1|bool tags: - level1 - level2 - patch - rule_6.2.1 - name: "SCORED | 6.2.2 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd" command: sed -i '/^+/ d' /etc/passwd changed_when: no failed_when: no when: - rhel7cis_rule_6_2_2|bool tags: - level1 - level2 - patch - rule_6.2.2 - skip_ansible_lint # ANSIBLE0006 - name: "SCORED | 6.2.3 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow" command: sed -i '/^+/ d' /etc/shadow changed_when: no failed_when: no when: - rhel7cis_rule_6_2_3|bool tags: - level1 - level2 - patch - rule_6.2.3 - skip_ansible_lint # ANSIBLE0006 - name: "SCORED | 6.2.4 | PATCH | Ensure no legacy '+' entries exist in /etc/group" command: sed -i '/^+/ d' /etc/group changed_when: no failed_when: no when: - rhel7cis_rule_6_2_4|bool tags: - level1 - level2 - patch - rule_6.2.4 - skip_ansible_lint # ANSIBLE0006 - name: "SCORED | 6.2.5 | PATCH | Ensure root is the only UID 0 account" command: passwd -l {{ item }} changed_when: no failed_when: no with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}" when: - uid_zero_accounts_except_root.rc - rhel7cis_rule_6_2_5|bool tags: - level1 - level2 - patch - rule_6.2.5 - name: "SCORED | 6.2.6 | PATCH | Ensure root PATH Integrity" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_6|bool tags: - level1 - level2 - patch - rule_6.2.6 - notimplemented - name: "SCORED | 6.2.7 | PATCH | Ensure all users' home directories exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_7|bool tags: - level1 - level2 - patch - rule_6.2.7 - notimplemented - name: "SCORED | 6.2.8 | PATCH | Ensure users' home directories permissions are 750 or more restrictive" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_8|bool tags: - level1 - level2 - patch - rule_6.2.8 - notimplemented - name: "SCORED | 6.2.9 | PATCH | Ensure users own their home directories" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_9|bool tags: - level1 - level2 - patch - rule_6.2.9 - notimplemented - name: "SCORED | 6.2.10 | PATCH | Ensure users' dot files are not group or world writable" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_10|bool tags: - level1 - level2 - patch - rule_6.2.10 - notimplemented - name: "SCORED | 6.2.11 | PATCH | Ensure no users have .forward files" file: state: absent dest: "~{{ item }}/.forward" with_items: "{{ users }}" when: - rhel7cis_rule_6_2_11|bool tags: - level1 - level2 - patch - rule_6.2.11 - name: "SCORED | 6.2.12 | PATCH | Ensure no users have .netrc files" file: state: absent dest: "~{{ item }}/.netrc" with_items: "{{ users }}" when: - rhel7cis_rule_6_2_12|bool tags: - level1 - level2 - patch - rule_6.2.12 # - name: "SCORED | 6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible" # file: # mode: 0600 # dest: "~{{ item }}/.netrc" # with_items: "{{ users.stdout_lines }}" # tags: # - level1 # - level2 # - patch # - rule_6.2.13 - name: "SCORED | 6.2.14 | PATCH | Ensure no users have .rhosts files" file: state: absent dest: "~{{ item }}/.rhosts" with_items: "{{ users }}" when: - rhel7cis_rule_6_2_14|bool tags: - level1 - level2 - patch - rule_6.2.14 - name: "SCORED | 6.2.15 | PATCH | Ensure all groups in /etc/passwd exist in /etc/group" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_15|bool tags: - level1 - level2 - patch - rule_6.2.15 - notimplemented - name: "SCORED | 6.2.16 | PATCH | Ensure no duplicate UIDs exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_16|bool tags: - level1 - level2 - patch - rule_6.2.16 - notimplemented - name: "SCORED | 6.2.17 | PATCH | Ensure no duplicate GIDs exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_17|bool tags: - level1 - level2 - patch - rule_6.2.17 - notimplemented - name: "SCORED | 6.2.18 | PATCH | Ensure no duplicate user names exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_18|bool tags: - level1 - level2 - patch - rule_6.2.18 - notimplemented - name: "SCORED | 6.2.19 | PATCH | Ensure no duplicate group names exist" command: /bin/true changed_when: no when: - rhel7cis_rule_6_2_19|bool tags: - level1 - level2 - patch - rule_6.2.19