fix-cat2.yml

---

- name: "MEDIUM | RHEL-07-010019 | PATCH | RHEL 7 must ensure cryptographic verification of vendor software packages."
  block:
      - name: "MEDIUM | RHEL-07-010019 | PATCH | RHEL 7 must ensure cryptographic verification of vendor software packages. | package installed"
        ansible.builtin.package:
            name: "{{ gpg_package }}"
            state: present
        when: "gpg_package not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-010019 | AUDIT | RHEL 7 must ensure cryptographic verification of vendor software packages. | Confirm keys"
        ansible.builtin.shell: "gpg -q --keyid-format short --with-fingerprint {{ rpm_gpg_key }} | grep -A1 '{{ item.name }}' | grep '{{ item.fingerprint }}'"
        changed_when: false
        failed_when: rhel_07_010019_gpg_info.rc not in [ 0, 1]
        register: rhel_07_010019_gpg_info
        loop: "{{ gpg_keys }}"
        loop_control:
            label: item.name

      - name: "MEDIUM | RHEL-07-010019 | AUDIT | RHEL 7 must ensure cryptographic verification of vendor software packages. | warn"
        ansible.builtin.debug:
            msg:
                - "WARNING!! Please investigate the vendor gpgkeys match expected values"
        loop: "{{ rhel_07_010019_gpg_info.results }}"
        when: item.rc != 0
  when:
      - rhel_07_010019
  tags:
      - RHEL-07-010019
      - CAT2
      - CCI-001749
      - SRG-OS-000366-GPOS-00153
      - SV-256968r902687_rule
      - V-256968

### RHEL-07-010030 | RHEL-07-010040 combined as related tasks in regards to a config file no other content will be in.
- name: "MEDIUM | RHEL-07-010030 | RHEL-07-010040 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."
  ansible.builtin.copy:  # noqa: template-instead-of-copy
      dest: /etc/dconf/db/local.d/01-banner-message
      content: |
          [org/gnome/login-screen]
          banner-message-enable=true
          banner-message-text='{{ rhel7stig_logon_banner | replace(newline, "\n") }}'
      mode: '0644'
  vars:
      newline: "\n"
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010030
      - rhel_07_010040
  tags:
      - CAT2
      - RHEL-07-010030
      - CCI-000048
      - SRG-OS-000023-GPOS-00006
      - SV-204393r603261_rule
      - V-204393
      - RHEL_07_010040
      - SV-204394r603261_rule
      - V-204394
      - dod_logon_banner

- name: "MEDIUM | RHEL-07-010050 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon."
  ansible.builtin.copy:
      content: "{{ rhel7stig_logon_banner }}"  # noqa: template-instead-of-copy
      dest: "{{ item }}"
      owner: root
      group: root
      mode: 0644
  with_items:
      - /etc/issue
      - /etc/issue.net
  when:
      - rhel_07_010050
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-010050
      - CAT2
      - CCI-000048
      - SRG-OS-000023-GPOS-00006
      - SV-204395r603261_rule
      - V-204395
      - ssh
      - dod_logon_banner

- name: "MEDIUM | RHEL-07-010060 | PATCH | The Red Hat Enterprise Linux operating system must enable a user session lock until that user re-establishes access using established identification and authentication procedures."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010060
      content: |
          [org/gnome/desktop/screensaver]
          lock-enabled=true
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010060
  tags:
      - RHEL-07-010060
      - CAT2
      - CCI-000056
      - SRG-OS-000028-GPOS-00009
      - SV-204396r880746_rule
      - V-204396
      - dconf

- name: "MEDIUM | RHEL-07-010061 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate users using multifactor authentication via a graphical user logon."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-defaults_rhel_07_010061
      content: |
          [org/gnome/login-screen]
          enable-smartcard-authentication=true
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010061
  tags:
      - RHEL-07-010061
      - CAT2
      - CCI-001948
      - CCI-001953
      - CCI-001954
      - SRG-OS-000375-GPOS-00160
      - SV-204397r603261_rule
      - V-204397
      - dconf

- name: "MEDIUM | RHEL-07-010062 | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/locks/session_rhel_07_010062
      content: |
        /org/gnome/desktop/screensaver/lock-enabled
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010062
  tags:
      - RHEL-07-010062
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-214937r880767_rule
      - V-214937
      - dconf

- name: "MEDIUM | RHEL-07-010063 | PATCH | The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces."
  block:
      - name: "MEDIUM | RHEL-07-010063 | PATCH | The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces. | login_screen"
        ansible.builtin.lineinfile:
            path: /etc/dconf/db/local.d/00-login-screen
            line: "{{ item }}"
            mode: '0644'
            create: true
        loop:
            - [org/gnome/login-screen]
            - disable-user-list=true
        notify: dconf update

      - name: "MEDIUM | RHEL-07-010063 | PATCH | The Red Hat Enterprise Linux operating system must disable the login screen user list for graphical user interfaces. | gdm profile"
        ansible.builtin.lineinfile:
            path: /etc/dconf/profile/gdm
            line: "{{ item }}"
            mode: '0644'
            create: true
        loop:
            - user-db:user
            - system-db:gdm
            - file-db:/usr/share/gdm/greeter-dconf-defaults
        notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010063
  tags:
      - RHEL-07-010063
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-256969r902690_rule
      - V-256969
      - dconf

- name: "MEDIUM | RHEL-07-010070 | PATCH | The Red Hat Enterprise Linux operating system must initiate a screensaver after a 15-minute period of inactivity for graphical user interfaces."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010070
      content: |
          [org/gnome/desktop/session]
          idle-delay=uint32 900
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010070
  tags:
      - RHEL-07-010070
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-204398r880770_rule
      - V-204398
      - dconf

- name: "MEDIUM | RHEL-07-010081 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver lock-delay setting for the graphical user interface."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/locks/session_rhel_07_010081
      content: |
          /org/gnome/desktop/screensaver/lock-delay
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010081
  tags:
      - RHEL-07-010081
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-204399r880773_rule
      - V-204399
      - dconf

- name: "MEDIUM | RHEL-07-010082 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the session idle-delay setting for the graphical user interface."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/locks/session_rhel_07_010082
      content: |
          /org/gnome/desktop/session/idle-delay
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010082
  tags:
      - RHEL-07-010082
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-204400r880776_rule
      - V-204400
      - dconf

- name: "MEDIUM | RHEL-07-010090 | PATCH | The Red Hat Enterprise Linux operating system must have the screen package installed."
  ansible.builtin.package:
      name: screen
      state: present
  when:
      - rhel_07_010090
      - "'screen' not in ansible_facts.packages"
      - "'tmux' not in ansible_facts.packages"
  tags:
      - RHEL-07-010090
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-255926r880779_rule
      - V-255926
      - screen

- name: "MEDIUM | RHEL-07-010100 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for the screensaver after a period of inactivity for graphical user interfaces."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010100
      content: |
          [org/gnome/desktop/screensaver]
          idle-activation-enabled=true
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010100
  tags:
      - RHEL-07-010100
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-204402r880782_rule
      - V-204402
      - dconf

- name: "MEDIUM | RHEL-07-010101 | PATCH | The Red Hat Enterprise Linux operating system must prevent a user from overriding the screensaver idle-activation-enabled setting for the graphical user interface."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/locks/session_rhel_07_010101
      content: |
          /org/gnome/desktop/screensaver/idle-activation-enabled
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010101
  tags:
      - RHEL-07-010101
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-204403r880785_rule
      - V-204403
      - dconf

- name: "MEDIUM | RHEL-07-010110 | PATCH | The Red Hat Enterprise Linux operating system must initiate a session lock for graphical user interfaces when the screensaver is activated."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-screensaver_rhel_07_010110
      content: |
          [org/gnome/desktop/screensaver]
          lock-delay=uint32 5
      mode: '0644'
  register: rhel_07_010110
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_010110
  tags:
      - RHEL-07-010110
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-204404r880788_rule
      - V-204404
      - dconf

- name: "MEDIUM | RHEL-07-010118 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that /etc/pam.d/passwd implements /etc/pam.d/system-auth when changing passwords."
  ansible.builtin.lineinfile:
      path: /etc/pam.d/passwd
      regexp: '^password\s+substack\s+system-auth'
      line: 'password   substack     system-auth'
  when:
      - rhel_07_010118
  tags:
      - RHEL-07-010118
      - CAT2
      - CCI-000192
      - SRG-OS-000069-GPOS-00037
      - SV-204405r603261_rule
      - V-204405
      - pamd

- name: "MEDIUM | RHEL-07-010119 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, pwquality must be used."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/pam.d/system-auth
      regexp: '^#?password\s+(required|requisite) pam_pwquality.so retry'
      line: password requisite pam_pwquality.so retry=3
      mode: 0644
  when:
      - rhel_07_010119
  tags:
      - RHEL-07-010119
      - CAT2
      - CCI-000192
      - SRG-OS-000069-GPOS-00037
      - SV-204406r902704_rule
      - V-204406
      - pamd

- name: "MEDIUM | RHEL-07-010120 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one upper-case character."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*ucredit'
      line: "ucredit = {{ rhel7stig_password_complexity.ucredit | default('-1') }}"
      mode: 0644
  when:
      - rhel_07_010120
  tags:
      - RHEL-07-010120
      - CAT2
      - CCI-000192
      - SRG-OS-000069-GPOS-00037
      - SV-204407r603261_rule
      - V-204407
      - pwquality

- name: "MEDIUM | RHEL-07-010130 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one lower-case character."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*lcredit'
      line: "lcredit = {{ rhel7stig_password_complexity.lcredit | default('-1') }}"
      mode: 0644
  when:
      - rhel_07_010130
  tags:
      - RHEL-07-010130
      - CAT2
      - CCI-000193
      - SRG-OS-000070-GPOS-00038
      - SV-204408r603261_rule
      - V-204408
      - pwquality

- name: "MEDIUM | RHEL-07-010140 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are assigned, the new password must contain at least one numeric character."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*dcredit'
      line: "dcredit = {{ rhel7stig_password_complexity.dcredit | default('-1') }}"
      mode: 0644
  when:
      - rhel_07_010140
  tags:
      - RHEL-07-010140
      - CAT2
      - CCI-000194
      - SV-204409r603261_rule
      - V-204409
      - RHELsality

- name: "MEDIUM | RHEL-07-010150 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed or new passwords are established, the new password must contain at least one special character."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*ocredit'
      line: "ocredit = {{ rhel7stig_password_complexity.ocredit | default('-1') }}"
      mode: 0644
  when:
      - rhel_07_010150
  tags:
      - RHEL-07-010150
      - CAT2
      - CCI-001619
      - SRG-OS-000266-GPOS-00101
      - SV-204410r603261_rule
      - V-204410
      - pwquality

- name: "MEDIUM | RHEL-07-010160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of eight of the total number of characters must be changed."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*difok'
      line: "difok = {{ rhel7stig_password_complexity.difok | default('8') }}"
      mode: 0644
  when:
      - rhel_07_010160
  tags:
      - RHEL-07-010160
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-204411r603261_rule
      - V-204411
      - pwquality

- name: "MEDIUM | RHEL-07-010170 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed a minimum of four character classes must be changed."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*minclass'
      line: "minclass = {{ rhel7stig_password_complexity.minclass | default('4') }}"
      mode: 0644
  when:
      - rhel_07_010170
  tags:
      - RHEL-07-010170
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-204412r603261_rule
      - V-204412
      - pwquality

- name: "MEDIUM | RHEL-07-010180 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating consecutive characters must not be more than three characters."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*maxrepeat'
      line: "maxrepeat = {{ rhel7stig_password_complexity.maxrepeat | default('3') }}"
      mode: 0644
  when:
      - rhel_07_010180
  tags:
      - RHEL-07-010180
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-204413r603261_rule
      - V-204413
      - pwquality

- name: "MEDIUM | RHEL-07-010190 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that when passwords are changed the number of repeating characters of the same character class must not be more than four characters."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*maxclassrepeat'
      line: "maxclassrepeat = {{ rhel7stig_password_complexity.maxclassrepeat | default('4') }}"
      mode: 0644
  when:
      - rhel_07_010190
  tags:
      - RHEL-07-010190
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-204414r809186_rule
      - V-204414
      - pwquality

- name: "MEDIUM | RHEL-07-010199 | PATCH |  The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility."
  block:
      - name: "MEDIUM | RHEL-07-010199 | PATCH |  The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | local file"
        ansible.builtin.template:
            src: "{{ item }}.j2"
            dest: "/{{ item }}"
            owner: root
            group: root
            mode: 0644
        loop:
            - etc/pam.d/password-auth-local
            - etc/pam.d/system-auth-local

      - name: "MEDIUM | RHEL-07-010199 | PATCH |  The Red Hat Enterprise Linux operating system must be configured to prevent overwriting of custom authentication configuration settings by the authconfig utility. | copy and symlink"
        ansible.builtin.shell: "if [[ -f {{ item }} && ! -L {{ item }} ]]; then cp -p {{ item }} {{ item }}-ac; ln -sf {{ item }}-local {{ item }} && (exit 99); else (exit 98); fi"
        changed_when: rhel_07_010199_changed.rc == 99
        failed_when: rhel_07_010199_changed.rc not in [ 98, 99 ]
        register: rhel_07_010199_changed
        loop:
            - /etc/pam.d/password-auth
            - /etc/pam.d/system-auth
  when:
      - rhel_07_010199
  tags:
      - RHEL-07-010199
      - CAT2
      - CCI-000196
      - SRG-OS-000072-GPOS-00040
      - SV-255928r917838_rule
      - V-255928
      - pamd

- name: "MEDIUM | RHEL-07-010200 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the PAM system service is configured to store only encrypted representations of passwords."
  community.general.pamd:
      name: "{{ item[0] }}"
      state: "{{ item[1].state }}"
      type: password
      control: sufficient
      module_path: pam_unix.so
      module_arguments: "{{ item[1].args }}"
  with_nested:
      - [ 'system-auth', 'password-auth' ]
      -
          - state: args_present
            args:
                - "sha512"
          - state: args_absent
            args:
                - "md5"
                - "bigcrypt"
                - "sha256"
                - "blowfish"
  when:
      - rhel_07_010200
  tags:
      - RHEL-07-010200
      - CAT2
      - CCI-000196
      - SRG-OS-000073-GPOS-00041
      - SV-204415r917816_rule
      - V-204415
      - pamd

- name: "MEDIUM | RHEL-07-010210 | PATCH | The Red Hat Enterprise Linux operating system must be configured to use the shadow file to store only encrypted representations of passwords."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^#?ENCRYPT_METHOD
      line: "ENCRYPT_METHOD {{ rhel7stig_login_defaults.encrypt_method | default('SHA512') }}"
  when:
      - rhel_07_010210
  tags:
      - RHEL-07-010210
      - CAT2
      - CCI-000196
      - SRG-OS-000073-GPOS-00041
      - SV-204416r603261_rule
      - V-204416
      - login

- name: "MEDIUM | RHEL-07-010220 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that user and group account administration utilities are configured to store only encrypted representations of passwords."
  ansible.builtin.lineinfile:
      path: /etc/libuser.conf
      regexp: ^#?crypt_style
      line: crypt_style = sha512
  when:
      - rhel_07_010220
  tags:
      - RHEL-07-010220
      - CAT2
      - CCI-000196
      - SRG-OS-000073-GPOS-00041
      - SV-204417r603261_rule
      - V-204417
      - login

- name: "MEDIUM | RHEL-07-010230 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 24 hours/1 day minimum lifetime."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/login.defs
      regexp: ^#?PASS_MIN_DAYS
      line: "PASS_MIN_DAYS {{ rhel7stig_login_defaults.pass_min_days | default('1') }}"
      mode: 0644
  when:
      - rhel_07_010230
  tags:
      - RHEL-07-010230
      - CAT2
      - CCI-000198
      - SRG-OS-000075-GPOS-00043
      - SV-204418r603261_rule
      - V-204418
      - login

- name: "MEDIUM | RHEL-07-010240 | The Red Hat Enterprise Linux operating system must be configured so that passwords are restricted to a 24 hours/1 day minimum lifetime."
  block:
      - name: "MEDIUM | RHEL-07-010240 | AUDIT | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
        ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow"
        check_mode: false
        changed_when: false
        register: rhel_07_010240_audit

      - name: "MEDIUM | RHEL-07-010240 | PATCH | Passwords must be restricted to a 24 hours/1 day minimum lifetime."
        ansible.builtin.shell: chage -m 1 {{ item }}
        check_mode: false
        changed_when: true
        with_items:
            - "{{ rhel_07_010240_audit.stdout_lines }}"
  when:
      - rhel_07_010240
  tags:
      - RHEL-07-010240
      - CAT2
      - CCI-000198
      - SRG-OS-000075-GPOS-00043
      - SV-204419r603261_rule
      - V-204419
      - password

- name: "MEDIUM | RHEL-07-010250 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords for new users are restricted to a 60-day maximum lifetime."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/login.defs
      regexp: ^#?PASS_MAX_DAYS
      line: "PASS_MAX_DAYS {{ rhel7stig_login_defaults.pass_max_days | default('60') }}"
      mode: 0644
  when:
      - rhel_07_010250
  tags:
      - RHEL-07-010250
      - CAT2
      - CCI-000199
      - SRG-OS-000076-GPOS-00044
      - SV-204420r603261_rule
      - V-204420
      - login

- name: "MEDIUM | RHEL-07-010260 | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."
  block:
      - name: "MEDIUM | RHEL-07-010260 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."
        ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow"
        check_mode: false
        changed_when: false
        register: rhel_07_010260_audit

      - name: "MEDIUM | RHEL-07-010260 | PATCH | Reset password timeout to prevent locking out user."
        ansible.builtin.shell: chage -d '-1 day' {{ item }}
        check_mode: "{{ rhel7stig_disruptive_check_mode }}"
        with_items:
            - "{{ rhel_07_010260_audit.stdout_lines }}"

      - name: "MEDIUM | RHEL-07-010260 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that existing passwords are restricted to a 60-day maximum lifetime."
        ansible.builtin.shell: "chage -M 60 {{ item }}"
        check_mode: "{{ rhel7stig_disruptive_check_mode }}"
        with_items:
            - "{{ rhel_07_010260_audit.stdout_lines }}"
  when:
      - rhel_07_010260
      - rhel7stig_disruptive
  tags:
      - RHEL-07-010260
      - CAT2
      - CCI-000199
      - SRG-OS-000076-GPOS-00044
      - SV-204421r603261_rule
      - V-204421
      - disruption-high
      - password

- name: "MEDIUM | RHEL-07-010270 | The Red Hat Enterprise Linux operating system must be configured so that passwords are prohibited from reuse for a minimum of five generations."
  block:
      - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory rule exists | system-auth"
        community.general.pamd:
            name: system-auth
            state: before
            type: password
            control: requisite
            module_path: pam_pwquality.so
            new_type: password
            new_control: requisite
            new_module_path: pam_pwhistory.so
            module_arguments:
                - remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}
                - retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}

      - name: "MEDIUM | RHEL-07-010270 | PATCH | Ensure pam_pwhistory module arguments are set | password-auth"
        community.general.pamd:
            name: password-auth
            state: updated
            type: password
            control: requisite
            module_path: pam_pwhistory.so
            module_arguments:
                - use_authtok
                - remember={{ rhel7stig_pam_pwhistory.remember | default(5) }}
                - retry={{ rhel7stig_pam_pwhistory.retries | default(3) }}
  when:
      - not rhel_07_010199  # 010199 uses template that is compliant already
      - rhel_07_010270
  tags:
      - RHEL-07-010270
      - CAT2
      - CCI-000200
      - SRG-OS-000077-GPOS-00045
      - SV-204422r917818_rule
      - V-204422
      - pamd

- name: "MEDIUM | AUDIT | RHEL-07-010271 | The Red Hat Enterprise Linux operating system must automatically expire temporary accounts within 72 hours."
  ansible.builtin.debug:
      msg:
          - "Warning!! Verify every existing emergency account and make sure it has an expiration date set within 72 hours."
  when:
      - rhel_07_010271
  tags:
      - RHEL-07-010271
      - CAT2
      - CCI-001682
      - SRG-OS-000123-GPOS-00064
      - SV-254523r903130_rule
      - V-254523

- name: "MEDIUM | RHEL-07-010280 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that passwords are a minimum of 15 characters in length."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/security/pwquality.conf
      regexp: '^#?\s*minlen'
      line: "minlen = {{ rhel7stig_password_complexity.minlen | default('15') }}"
      mode: 0644
  when:
      - rhel_07_010280
  tags:
      - RHEL-07-010280
      - CAT2
      - CCI-000205
      - SRG-OS-000078-GPOS-00046
      - SV-204423r603261_rule
      - V-204423
      - pwquality

- name: "MEDIUM | RHEL-07-010310 | PATCH | The Red Hat Enterprise Linux operating system must disable account identifiers (individuals, groups, roles, and devices) if the password expires."
  ansible.builtin.lineinfile:
      path: /etc/default/useradd
      regexp: ^#?INACTIVE
      line: INACTIVE=35
  when:
      - rhel_07_010310
  tags:
      - RHEL-07-010310
      - CAT2
      - CCI-000795
      - SRG-OS-000118-GPOS-00060
      - SV-204426r809190_rule
      - V-204426
      - accounts

- name: |
    "MEDIUM | RHEL-07-010320 | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."
    "MEDIUM | RHEL-07-010330 | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
  block:
      - name: |
          "MEDIUM | RHEL-07-010320 | PATCH | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."
          "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
        community.general.pamd:
            name: "{{ item }}"
            state: before
            type: auth
            control: sufficient
            module_path: pam_unix.so
            new_type: auth
            new_control: required
            new_module_path: pam_faillock.so
        with_items:
            - "system-auth"
            - "password-auth"

      # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent
      #  - name: |
      #      "MEDIUM | RHEL-07-010320 | AUDIT | Check for existing account lockout settings"
      #      "MEDIUM | RHEL-07-010330 | AUDIT | Check for existing account lockout settings"
      #    ansible.builtin.shell: "grep -iE '^auth\\s+required\\s+pam_faillock.so\\s+preauth\\s+silent\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}"
      #    check_mode: no
      #    changed_when: no
      #    failed_when: rhel_07_010320_010330_preauth_audit.rc > 1
      #    register: rhel_07_010320_010330_preauth_audit
      #    with_items:
      #        - "system-auth"
      #        - "password-auth"

      # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following.
      - name: |
          "MEDIUM | RHEL-07-010320 | PATCH | The Red Hat Enterprise Linux operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe."
          "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
        community.general.pamd:
            name: "{{ item }}"
            state: updated
            type: auth
            control: required
            module_path: pam_faillock.so
            module_arguments: "preauth silent audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
        with_items:
            - "system-auth"
            - "password-auth"

      - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
        community.general.pamd:
            name: "{{ item }}"
            state: before
            type: auth
            control: required
            module_path: pam_deny.so
            new_type: auth
            new_control: "[default=die]"
            new_module_path: pam_faillock.so
        with_items:
            - "system-auth"
            - "password-auth"

      # TODO: Remove temporary audit check to determine if the following pamd module task needs to be run since the module is not idempotent
      # - name: "MEDIUM | RHEL-07-010330 | AUDIT | Check for existing account lockout settings"
      #  ansible.builtin.shell: "grep -iE '^auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\\s+audit\\s+deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }}\\s+unlock_time={{ rhel7stig_pam_faillock.unlock_time }}$' /etc/pam.d/{{ item }}"
      #  check_mode: no
      #  changed_when: no
      #  failed_when: rhel_07_010330_authfail_audit.rc > 1
      #  register: rhel_07_010330_authfail_audit
      #  with_items:
      #  - "system-auth"
      #  - "password-auth"

      # TODO: Once the pamd module is fixed (either args_present or updated) then remove the previous grep task and update the following.
      - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
        community.general.pamd:
            name: "{{ item }}"
            state: updated
            type: auth
            control: "[default=die]"
            module_path: pam_faillock.so
            module_arguments: "authfail audit deny={{ rhel7stig_pam_faillock.attempts }}{{ (rhel7stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel7stig_pam_faillock.interval }} unlock_time={{ rhel7stig_pam_faillock.unlock_time }}"
        with_items:
            - "system-auth"
            - "password-auth"
      # when: item.rc == 1

      - name: "MEDIUM | RHEL-07-010330 | PATCH | The Red Hat Enterprise Linux operating system must lock the associated account after three unsuccessful root logon attempts are made within a 15-minute period."
        community.general.pamd:
            name: "{{ item }}"
            state: before
            type: account
            control: required
            module_path: pam_unix.so
            new_type: account
            new_control: required
            new_module_path: pam_faillock.so
        with_items:
            - "system-auth"
            - "password-auth"
  when:
      - not rhel_07_010199  # 010199 uses template that is compliant already
      - rhel_07_010320 or
        rhel_07_010330
  tags:
      - CAT2
      - RHEL-07-010320
      - CCI-000044
      - CCI-002236
      - CCI-002237
      - CCI-002238
      - SRG-OS-000329-GPOS-00128
      - SV-204427r880842_rule
      - V-204427
      - RHEL-07-010330
      - CCI-002238
      - SV-204428r880845_rule
      - V-204428
      - pamd

- name: "MEDIUM | RHEL-07-010339 | PATCH | The Red Hat Enterprise Linux operating system must specify the default 'include' directory for the /etc/sudoers file."
  ansible.builtin.lineinfile:
      path: /etc/sudoers
      regex: '^#includedir'
      line: '#includedir /etc/sudoers.d'
      validate: '/usr/sbin/visudo -cf %s'
  when:
      - rhel_07_010339
  tags:
      - RHEL-07-010339
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251703r833183_rule
      - V-251703
      - sudoers

- name: "MEDIUM | RHEL-07-010340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that users must provide a password for privilege escalation."
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#].*)NOPASSWD(.*)'
      replace: '\1PASSWD\2'
      validate: '/usr/sbin/visudo -cf %s'
  with_items:
      - "{{ rhel7stig_sudoers_files.stdout_lines }}"
  when:
      - rhel7stig_using_password_auth
      - rhel7stig_disruption_high
      - rhel_07_010340
  tags:
      - RHEL-07-010340
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-204429r833190_rule
      - V-204429
      - sudoers

- name: "MEDIUM | RHEL-07-010344 | PATCH | The Red Hat Enterprise Linux operating system must not be configured to bypass password requirements for privilege escalation."
  ansible.builtin.lineinfile:
      path: /etc/pam.d/sudo
      regex: 'pam_succeed_if'
      state: absent
  when:
      - rhel_07_010344
  tags:
      - RHEL-07-010344
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-251704r809568_rule
      - V-251704

- name: "MEDIUM | RHEL-07-010350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that users must re-authenticate for privilege escalation."
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#].*)!authenticate(.*)'
      replace: '\1authenticate\2'
      validate: '/usr/sbin/visudo -cf %s'
  with_items: "{{ rhel7stig_sudoers_files.stdout_lines }}"
  when:
      - rhel_07_010350
      - not ansible_distribution == "OracleLinux"
  tags:
      - RHEL-07-010350
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-204430r603261_rule
      - V-204430
      - sudoers

- name: "MEDIUM | RHEL-07-010430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the delay between logon prompts following a failed console logon attempt is at least four seconds."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^#?FAIL_DELAY
      line: "FAIL_DELAY {{ rhel7stig_login_defaults.fail_delay_secs | default('4') }}"
  when:
      - rhel_07_010430
  tags:
      - RHEL-07-010430
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00226
      - SV-204431r603261_rule
      - V-204431
      - login

- name: "MEDIUM | RHEL-07-010460 | PATCH | The Red Hat Enterprise Linux operating system must not allow users to override SSH environment variables."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?PermitUserEnvironment"
      line: PermitUserEnvironment no
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_010460
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-010460
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00229
      - SV-204434r603261_rule
      - V-204434
      - ssh

- name: "MEDIUM | RHEL-07-010470 | PATCH | The Red Hat Enterprise Linux operating system must not allow a non-certificate trusted host SSH logon to the system."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?HostbasedAuthentication"
      line: HostbasedAuthentication no
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-010470
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00229
      - SV-204435r603261_rule
      - V-204435
      - ssh

# TODO: A user can still override the authentication requirement for single user mode in a couple ways that the STIG misses.
# This fix block does not check for those methods. i.e.
# User can override the rescue.service unit by placing a copy at /etc/systemd/system/rescue.service
# User can override some settings of the rescue.service unit by placing the overridden lines in /etc/systemd/system/rescue.service.d/override.conf
# Additionally the user can provide the -e or --force options to /usr/sbin/sulogin which will provide a root shell without password if the
# password file is inaccessbile or the root password is non-existent, LOCKED, or damaged.
- name: "MEDIUM | RHEL-07-010481 | The Red Hat Enterprise Linux operating system must require authentication upon booting into single-user and maintenance modes."
  block:
      - name: "MEDIUM | RHEL-07-010481 | PATCH | Check if the packaged rescue.service file was edited directly"
        ansible.builtin.shell: "cat /usr/lib/systemd/system/rescue.service | grep 'ExecStart=.*/usr/sbin/sulogin'"
        changed_when: false
        failed_when: false
        check_mode: false
        register: systemd_rescue_unit_check

      - name: "MEDIUM | RHEL-07-010481 | PATCH | Force reinstall systemd package to replace edited /usr/lib/systemd/system/rescue.service"
        ansible.builtin.shell: yum -y reinstall systemd
        when: systemd_rescue_unit_check.rc == 1
  when:
      - rhel_07_010481
  tags:
      - RHEL-07-010481
      - CAT2
      - CCI-000213
      - SRG-OS-000080-GPOS-00048
      - SV-204437r603261_rule
      - V-204437
      - rescue

- name: |
      "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes."
      "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance."
  block:
      - name: "MEDIUM | RHEL-07-010483 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with a BIOS must have a unique name for the grub superusers account when booting into single-user and maintenance modes. | Set grub unique name BIOS"
        ansible.builtin.lineinfile:
            path: /etc/grub.d/01_users
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
        notify:
            - make grub2 config
        with_items:
            - { regexp: '^\s*set superusers=', line: '    set superusers="{{ rhel7stig_grub_superusers }}"' }
            - { regexp: '^\s*export superusers', line: '    export superusers'}
            - { regexp: '^\s*password_pbkdf2', line: '    password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' }
        when: rhel7stig_legacy_boot

      - name: "MEDIUM | RHEL-07-010492 | PATCH | Red Hat Enterprise Linux operating systems version 7.2 or newer booted with Unified Extensible Firmware Interface (UEFI) must have a unique name for the grub superusers account when booting into single-user mode and maintenance. | Set grub unique name UEFI"
        ansible.builtin.lineinfile:
            path: "{{ rhel7stig_bootloader_path }}/grub.cfg"
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
        notify:
            - make grub2 config
        with_items:
            - { regexp: '^\s*set superusers=', line: '    set superusers="{{ rhel7stig_grub_superusers }}"' }
            - { regexp: '^\s*export superusers', line: '    export superusers' }
            - { regexp: '^\s*password_pbkdf2', line: '    password_pbkdf2 {{ rhel7stig_grub_superusers }} \${GRUB2_PASSWORD}' }
        when: not rhel7stig_legacy_boot
  when:
      - rhel_07_010483 or
        rhel_07_010492
  tags:
      - RHEL-07-010483
      - CAT2
      - CCI-000213
      - SRG-OS-000080-GPOS-00048
      - SV-244557r833185_rule
      - V-244557
      - RHEL-07-010492
      - SV-244558r833187_rule
      - V-244558
      - grub
      - bootloader

- name: "MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication."
  block:
      # This task checks to test if pamd is enabled for pkcs11
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.shell: authconfig --test | grep "pam_pkcs11 is enabled"
        register: rhel_07_010500pkcs11output

      # This task gathers output so we can test if smartcard removal action is enabled
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.shell: authconfig --test | grep "smartcard removal action"
        register: rhel_07_010500scremovaloutput

      # This task gathers output so we can test if smartcard module is enabled
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.shell: authconfig --test | grep "smartcard module"
        register: rhel_07_010500scenabledoutput

      # This is to remediate if pam_pkcs11 is not installed.
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.package:
            name: "{{ item }}"
            state: present
            with_items:
                - pam_pkcs11
                - pcsc-lite-libs
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        register: rhel_07_010500pkcs11install
        when:
            - rhel_07_010500pkcs11output.stdout != 'pam_pkcs11 is enabled'

      # This task will remediate the smartcard login setting
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.shell: authconfig --enablesmartcard --smartcardaction=0 --update
        when:
            - rhel_07_010500scenabledoutput.stdout == ' smartcard module = \"\"' or rhel_07_010500scremovaloutput.stdout == ' smartcard removal action = \"\"'

      # This task will remediate the smartcard login setting
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.shell: authconfig --enablerequiresmartcard --update
        when: rhel_07_010500scenabledoutput.stdout == ' smartcard module = \"\"' or rhel_07_010500scremovaloutput.stdout == ' smartcard removal action = \"\"'

      # This remediates the screensaver settings for smartcard authentication
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.lineinfile:
            create: true
            dest: /etc/pam_pkcs11/pkcs11_eventmgr.conf
            regexp: '^#?/usr/X11R6/bin/xscreensaver-command -lock'
            line: "/usr/X11R6/bin/xscreensaver-command -lock"
            mode: 0644

      # This remediates the pam_pkcs11.conf file to enforce the cackey usage for smartcard authentication
      ### NOTE:  If you have custom rules for /etc/pam_pkcs11/pam_pkcs11.conf then change the template pam_pkcs11.conf.j2
      - name: MEDIUM | RHEL-07-010500 | PATCH | The Red Hat Enterprise Linux operating system must uniquely identify and must authenticate organizational users (or processes acting on behalf of organizational users) using multifactor authentication.
        ansible.builtin.template:  # noqa: no-handler
            src: pam_pkcs11.conf.j2
            dest: /etc/pam_pkcs11/pam_pkcs11.conf
            owner: root
            group: root
            mode: 0644
        when:
            - rhel_07_010500pkcs11install is changed
  when:
      - rhel_07_010500
      - rhel7stig_gui
      - rhel7stig_smartcard
  tags:
      - RHEL-07-010500
      - CAT2
      - CCI-000766
      - SRG-OS-000104-GPOS-00051
      - SV-204441r818813_rule
      - V-204441
      - authentication

# ##############################
# #########   20000  ###########
# ##############################

# This control should be manually implemented
- name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures."
  block:
      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Get SELinux authorized users"
        ansible.builtin.shell: semanage login -l
        changed_when: false
        failed_when: false
        register: rhel_07_020020_sel_auth_users

      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Show SELinux authorized users"
        ansible.builtin.debug:
            msg:
                - "Warning!! Below is your SELinux user/group list. Please review and make sure all of the following are met:"
                - "1) All administrators are mapped to staff_u or an appropriately tailored confined SELinux user as defined by the organization"
                - "2) All authorized non-administrative users must be mapped to the user_u SELinux user"
                - "{{ rhel_07_020020_sel_auth_users.stdout_lines }}"
        when: rhel_07_020020_sel_auth_users.stdout | length > 0

      - name: "MEDIUM | RHEL-07-020020 | AUDIT | The Red Hat Enterprise Linux operating system must prevent non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures. | Warn that semanage is not installed"
        ansible.builtin.debug:
            msg:
                - "Warning!! You do not have semanage installed! Please installed the needed packages"
        when: "'command not found' in rhel_07_020020_sel_auth_users.stderr"
  when:
      - rhel_07_020020
  tags:
      - RHEL-07-020020
      - CAT2
      - CCI-002235
      - CCI-002165
      - SRG-OS-000324-GPOS-00125
      - SV-204444r754744_rule
      - V-204444

- name: "MEDIUM | RHEL-07-020028 | PATCH | The Red Hat Enterprise Linux operating system must be configured to allow sending email notifications of configuration changes and adverse events to designated personnel."
  ansible.builtin.package:
      name: mailx
      state: present
  notify: "{{ rhel7stig_aide_handler }}"
  when:
      - rhel_07_020028
      - "'mailx' not in ansible_facts.packages"
  tags:
      - RHEL-07-020028
      - CAT2
      - CCI-001744
      - SRG-OS-000363-GPOS-00150
      - SV-256970r902696_rule
      - V-256970
      - mailx

- name: "MEDIUM | RHEL-07-020029 | PATCH | The Red Hat Enterprise Linux operating system must use a file integrity tool to verify correct operation of all security functions."
  ansible.builtin.package:
      name: aide
      state: present
  notify: "{{ rhel7stig_aide_handler }}"
  when:
      - rhel_07_020029
      - "'aide' not in ansible_facts.packages"
  tags:
      - RHEL-07-020029
      - CAT2
      - CCI-002696
      - SRG-OS-000445-GPOS-00199
      - SV-251705r880854_rule
      - V-251705
      - aide

- name: |
    "MEDIUM | RHEL-07-020030 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that a file integrity tool verifies the baseline operating system configuration at least weekly."
    "MEDIUM | RHEL-07-020040 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that designated personnel are notified if baseline configurations are changed in an unauthorized manner."
  ansible.builtin.cron:
      name: 'Run AIDE integrity check {{ rhel7stig_aide_cron.special_time }}'
      user: "{{ rhel7stig_aide_cron.user }}"
      cron_file: "{{ rhel7stig_aide_cron.cron_file }}"
      job: "{{ rhel7stig_aide_cron.job + ((rhel7stig_aide_cron.notify_by_mail) | ternary(rhel7stig_aide_cron.notify_cmd,'')) }}"
      minute: "{{ rhel7stig_aide_cron.minute | default((rhel7stig_cron_special_disable and
              rhel7stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) |
              ternary('0', omit)) | default(omit) }}"
      hour: "{{ rhel7stig_aide_cron.hour | default((rhel7stig_cron_special_disable and
            rhel7stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) |
            ternary('0', omit)) | default(omit) }}"
      weekday: "{{ rhel7stig_aide_cron.weekday | default((rhel7stig_cron_special_disable and
                rhel7stig_aide_cron.special_time in ['weekly']) |
                ternary('0', omit)) | default(omit) }}"
      day: "{{ rhel7stig_aide_cron.day | default((rhel7stig_cron_special_disable and
            rhel7stig_aide_cron.special_time in ['monthly']) |
            ternary('1', omit)) | default(omit) }}"
      special_time: "{{ (rhel7stig_cron_special_disable and
                    rhel7stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) |
                    ternary(omit, rhel7stig_aide_cron.special_time) }}"
  when:
      - rhel_07_020028  ## Required as per benchmark
      - rhel_07_020030 or
        rhel_07_020040
  tags:
      - CAT2
      - RHEL-07-020030
      - CCI-001744
      - SRG-OS-000363-GPOS-00150
      - SV-204445r880848_rule
      - V-204445
      - RHEL-07-020040
      - SRG-OS-000363-GPOS-00150
      - SV-204446r880851_rule
      - V-204446
      - aide

- name: "MEDIUM | RHEL-07-020100 | PATCH | The Red Hat Enterprise Linux operating system must be configured to disable USB mass storage."
  ansible.builtin.lineinfile:
      path: "{{ item.file }}"
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      insertafter: "{{ item.insertafter }}"
      create: true
      owner: root
      group: root
      mode: "0644"
  with_items:
      - file: /etc/modprobe.d/blacklist.conf
        insertafter: "^#blacklist usb-storage(\\s+|$)"
        regexp: "^install usb-storage(\\s+|$)"
        line: 'blacklist usb-storage'
      - file: /etc/modprobe.d/usb-storage.conf
        insertafter: "^#install usb-storage"
        regexp: "^install usb-storage"
        line: install usb-storage /bin/true
  when:
      - rhel_07_020100
  tags:
      - RHEL-07-020100
      - CAT2
      - CCI-001958
      - CCI-000778
      - CCI-000366
      - SRG-OS-000114-GPOS-00059
      - SV-204449r603261_rule
      - V-204449
      - usb_devices

- name: "MEDIUM | RHEL-07-020101 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Datagram Congestion Control Protocol (DCCP) kernel module is disabled unless required."
  ansible.builtin.lineinfile:
      path: "{{ item.file }}"
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      insertafter: "{{ item.insertafter }}"
      create: true
      owner: root
      group: root
      mode: "0644"
  with_items:
      - file: /etc/modprobe.d/blacklist.conf
        insertafter: ^#blacklist dccp
        regexp: ^blacklist dccp(\s+|$)
        line: blacklist dccp
      - file: /etc/modprobe.d/dccp.conf
        insertafter: ^#install dccp
        regexp: "^install dccp "
        line: install dccp /bin/true
  when:
      - rhel_07_020101
  tags:
      - RHEL-07-020101
      - CAT2
      - CCI-001958
      - SRG-OS-000378-GPOS-00163
      - SV-204450r603261_rule
      - V-204450
      - dccp

- name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."
  block:
      - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."
        ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d = -f 2"
        changed_when: false
        check_mode: false
        register: rhel_07_020110_autofs_service_status

      - name: "MEDIUM | RHEL-07-020110 | PATCH | The Red Hat Enterprise Linux operating system must disable the file system automounter unless required."
        ansible.builtin.service:
            name: autofs
            enabled: false
            state: stopped
        when:
            - rhel_07_020110_autofs_service_status.stdout == "loaded"
            - not rhel7stig_autofs_required
  when:
      - rhel_07_020110
  tags:
      - RHEL-07-020110
      - CAT2
      - CCI-001958
      - CCI-000366
      - CCI-000778
      - SRG-OS-000114-GPOS-00059
      - SV-204451r603261_rule
      - V-204451
      - mount

- name: |
    "MEDIUM | RHEL-07-020210 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux."
    "MEDIUM | RHEL-07-020220 | PATCH | The Red Hat Enterprise Linux operating system must enable SELinux targeted policy."
  selinux:
      state: enforcing
      policy: targeted
  check_mode: "{{ ansible_check_mode or rhel7stig_system_is_chroot }}"
  when:
      - rhel_07_020210 or
        rhel_07_020220
      - not rhel7stig_system_is_container
  tags:
      - CAT2
      - RHEL-07-020210
      - CCI-002696
      - CCI-002165
      - SRG-OS-000445-GPOS-00199
      - SV-204453r754746_rule
      - V-204453
      - RHEL-07-020220
      - SV-204454r754748_rule
      - V-204454
      - selinux

- name: "MEDIUM | RHEL-07-020240 | PATCH | The Red Hat Enterprise Linux operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^#?UMASK
      line: "UMASK {{ rhel7stig_login_defaults.umask | default('077') }}"
  when:
      - rhel_07_020240
  tags:
      - RHEL-07-020240
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00228
      - SV-204457r603261_rule
      - V-204457
      - login
      - umask

- name: "MEDIUM | RHEL-07-020260 | The Red Hat Enterprise Linux operating system security patches and updates must be installed and up to date."
  ansible.builtin.package:
      name: '*'
      state: latest
  vars:
      ansible_python_interpreter: "{{ python2_bin }}"
  when:
      - rhel_07_020260
  tags:
      - RHEL-07-020260
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204459r603261_rule
      - V-204459
      - packaging

- name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts."
  block:
      - name: "MEDIUM | RHEL-07-020270 | AUDIT | The Red Hat Enterprise Linux operating system must not have unnecessary accounts."
        ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd"
        check_mode: false
        failed_when: rhel_07_020270_audit.rc > 1
        changed_when: rhel_07_020270_audit.rc == 0
        register: rhel_07_020270_audit
        with_items:
            - "{{ rhel7stig_unnecessary_accounts }}"

      - name: "MEDIUM | RHEL-07-020270 | PATCH | The Red Hat Enterprise Linux operating system must not have unnecessary accounts."
        ansible.builtin.user:
            name: "{{ item }}"
            state: absent
            remove: "{{ rhel7stig_remove_unnecessary_user_files }}"
        register: rhel_07_020270_patch
        with_items:
            - "{{ rhel7stig_unnecessary_accounts }}"

      - name: "MEDIUM | RHEL-07-020270 | AUDIT | Re-parse /etc/passwd since it changed."
        include_tasks: parse_etc_passwd.yml  # noqa: no-handler
        vars:
            rhel7stig_passwd_tasks: "RHEL-07-020270"
        when: rhel_07_020270_patch is changed
  when:
      - rhel_07_020270
  tags:
      - RHEL-07-020270
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204460r603261_rule
      - V-204460
      - accounts

- name: "MEDIUM | RHEL-07-020320 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."
  block:
      - name: "MEDIUM | RHEL-07-020320 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."
        ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
        check_mode: false
        failed_when: false
        changed_when: false
        register: rhel_07_020320_audit
        with_items:
            - "{{ ansible_mounts }}"
        when: item['device'].startswith('/dev') and not 'bind' in item['options']

      - name: "MEDIUM | RHEL-07-020320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid owner."
        ansible.builtin.debug:
            msg: "Warning!! Manual intervention is required -- missing owner on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
        changed_when: rhel7stig_audit_complex
        with_items:
            - "{{ rhel_07_020320_audit.results }}"
        when:
            - item.stdout_lines is defined
            - item.stdout_lines | length > 0
  when:
      - rhel_07_020320
      - rhel7stig_complex
  tags:
      - RHEL-07-020320
      - CAT2
      - CCI-002165
      - SRG-OS-000480-GPOS-00227
      - SV-204463r603261_rule
      - V-204463
      - complexity-high

- name: "MEDIUM | RHEL-07-020330 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."
  block:
      - name: "MEDIUM | RHEL-07-020330 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."
        ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup
        check_mode: false
        failed_when: false
        changed_when: false
        register: rhel_07_020330_audit
        with_items:
            - "{{ ansible_mounts }}"
        when: item['device'].startswith('/dev') and not 'bind' in item['options']

      - name: "MEDIUM | RHEL-07-020330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories have a valid group owner."
        ansible.builtin.debug:
            msg: "Warning!! Manual intervention is required -- missing group on items in {{ item.item.mount }}: {{ item.stdout_lines | join(', ') }}"
        changed_when: rhel7stig_audit_complex
        with_items:
            - "{{ rhel_07_020330_audit.results }}"
        when:
            - item.stdout_lines is defined
            - item.stdout_lines | length > 0
  when:
      - rhel_07_020330
      - rhel7stig_complex
  tags:
      - RHEL-07-020330
      - CAT2
      - CCI-002165
      - SRG-OS-000480-GPOS-00227
      - SV-204464r603261_rule
      - V-204464
      - complexity-high

- name: "MEDIUM | RHEL-07-020610 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user accounts, upon creation, are assigned a home directory."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^#?CREATE_HOME
      line: "CREATE_HOME {{ rhel7stig_login_defaults.create_home | default('yes') }}"
  when:
      - rhel_07_020610
  tags:
      - RHEL-07-020610
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204466r603261_rule
      - V-204466
      - login
      - home

- name: "MEDIUM | RHEL-07-020620 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are defined in the /etc/passwd file."
  ansible.builtin.file:
      path: "{{ item.dir }}"
      state: directory
      mode: 0700
  with_items:
      - "{{ rhel7stig_passwd }}"
  loop_control:
      label: "{{ rhel7stig_passwd_label }}"
  when:
      - rhel_07_020620
      - rhel7stig_interactive_uid_start | int <= item.uid
  tags:
      - RHEL-07-020620
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204467r603826_rule
      - V-204467
      - users

- name: "MEDIUM | RHEL-07-020630 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories have mode 0750 or less permissive."
  ansible.builtin.file:
      path: "{{ item.dir }}"
      mode: "{{ rhel7stig_homedir_mode }}"
      state: directory
  with_items:
      - "{{ rhel7stig_passwd }}"
  loop_control:
      label: "{{ rhel7stig_passwd_label }}"
  when:
      - rhel_07_020630
      - rhel7stig_interactive_uid_start | int <= item.uid
  tags:
      - RHEL-07-020630
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204468r603828_rule
      - V-204468
      - users

- name: "MEDIUM | RHEL-07-020640 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are owned by their respective users."
  ansible.builtin.file:
      path: "{{ item.dir }}"
      owner: "{{ item.id }}"
      mode: 0700
      state: directory
  with_items:
      - "{{ rhel7stig_passwd }}"
  loop_control:
      label: "{{ rhel7stig_passwd_label }}"
  when:
      - rhel_07_020640
      - rhel7stig_interactive_uid_start | int <= item.uid
  tags:
      - RHEL-07-020640
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204469r603830_rule
      - V-204469
      - users

- name: "MEDIUM | RHEL-07-020650 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user home directories are group-owned by the home directory owners primary group."
  ansible.builtin.file:
      path: "{{ item.dir }}"
      group: "{{ item.gid }}"  # noqa risky-file-permissions
      state: directory
      mode: 0700
  with_items:
      - "{{ rhel7stig_passwd }}"
  loop_control:
      label: "{{ rhel7stig_passwd_label }}"
  when:
      - rhel_07_020650
      - rhel7stig_interactive_uid_start |int <= item.uid
  tags:
      - RHEL-07-020650
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204470r880764_rule
      - V-204470
      - users

- name: "MEDIUM | RHEL-07-020660 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."
  block:
      - name: "MEDIUM | RHEL-07-020660 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."
        ansible.builtin.shell: "{{ find_command_base }} -print -quit"
        check_mode: false
        changed_when: rhel_07_020660_audit.stdout |length > 0
        register: rhel_07_020660_audit
        with_items: "{{ rhel7stig_passwd }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: rhel7stig_interactive_uid_start | int <= this_item.uid
        vars:
            this_item: "{{ item }}"

      - name: "MEDIUM | RHEL-07-020660 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are owned by the owner of the home directory."
        ansible.builtin.shell: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +"
        with_items: "{{ rhel_07_020660_audit.results }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: item is changed  # noqa: no-handler
        vars:
            this_item: "{{ item.item }}"
  vars:
      find_command_base: 'find "{{ this_item.dir }}" -mindepth 1
            -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f -o
            -not -user {{ this_item.uid }}'
  when:
      - rhel_07_020660
  tags:
      - RHEL-07-020660
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204471r603261_rule
      - V-204471
      - users

- name: "MEDIUM | RHEL-07-020670 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."
  block:
      - name: "MEDIUM | RHEL-07-020670 | AUDIT | Get all GIDs for each user."
        ansible.builtin.shell: id -G "{{ item.id }}"
        check_mode: false
        changed_when: false
        register: rhel_07_all_gid_audit
        with_items:
            - "{{ rhel7stig_passwd }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"

      - name: "MEDIUM | RHEL-07-020670 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."
        ansible.builtin.shell: "{{ find_command_base }} -print -quit"
        check_mode: false
        changed_when: rhel_07_020670_audit.stdout| length > 0
        register: rhel_07_020670_audit
        with_items:
            - "{{ rhel_07_all_gid_audit.results }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: this_item.uid >= rhel7stig_int_gid
        vars:
            this_item: "{{ item.item }}"
            this_result: "{{ item }}"

      - name: "MEDIUM | RHEL-07-020670 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."
        ansible.builtin.shell: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +"
        with_items: "{{ rhel_07_020670_audit.results }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: item is changed  # noqa: no-handler
        vars:
            this_item: "{{ item.item.item }}"
            this_result: "{{ item.item }}"
  vars:
      find_command_base: 'find "{{ this_item.dir }}" -mindepth 1
              -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*" -type f -o
              -not -group {{ this_result.stdout.split(" ") | join(" -not -group ") }}'
  when:
      - rhel_07_020670
  tags:
      - RHEL-07-020670
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204472r603261_rule
      - V-204472
      - users

- name: "MEDIUM | RHEL-07-020680 | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
  block:
      - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
        ansible.builtin.stat:
            path: "{{ item }}"
        with_items: "{{ rhel7stig_passwd | selectattr('uid', '>=', rhel7stig_interactive_uid_start | int ) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
        register: rhel_07_020680_audit

      - name: "MEDIUM | RHEL-07-020680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
        ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
        check_mode: false
        changed_when: rhel_07_020680_patch_audit.stdout| length > 0
        register: rhel_07_020680_patch_audit
        with_together:
            - "{{ rhel_07_020680_audit.results | map(attribute='item') | list }}"
            - "{{ rhel_07_020680_audit.results | map(attribute='stat') | list }}"
        loop_control:
            label: "{{ item.0 }}"
        when:
            - ansible_check_mode
            - item.1.exists

      - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
        ansible.builtin.file:
            path: "{{ item.0 }}"
            recurse: true
            mode: a-st,g-w,o-rwx
        register: rhel_07_020680_patch
        with_together:
            - "{{ rhel_07_020680_audit.results | map(attribute='item') | list }}"
            - "{{ rhel_07_020680_audit.results | map(attribute='stat') | list }}"
        loop_control:
            label: "{{ item.0 }}"
        when:
            - not ansible_check_mode
            - item.1.exists

      # set default ACLs so the homedir has an effective umask of 0027
      - name: "MEDIUM | RHEL-07-020680 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all files and directories contained in local interactive user home directories have a mode of 0750 or less permissive."
        acl:
            path: "{{ item.0 }}"
            default: true
            state: present
            recursive: true
            etype: "{{ item.1.etype }}"
            permissions: "{{ item.1.mode }}"
        with_nested:
            - "{{ (ansible_check_mode | ternary(rhel_07_020680_patch_audit, rhel_07_020680_patch)).results |
              rejectattr('skipped', 'defined') | map(attribute='item') | map('first') | list }}"
            -
                - etype: group
                  mode: rx
                - etype: other
                  mode: '0'
        when: not rhel7stig_system_is_container
  when:
      - rhel_07_020680
  tags:
      - RHEL-07-020680
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204473r603261_rule
      - V-204473
      - permissions

- name: "MEDIUM | RHEL-07-020690 | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."
  block:
      - name: "MEDIUM | RHEL-07-020690 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."
        ansible.builtin.shell: "{{ find_command_base }} -print -quit"
        check_mode: false
        changed_when: rhel_07_020690_audit.stdout | length > 0
        register: rhel_07_020690_audit
        with_items:
            - "{{ rhel7stig_passwd }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: rhel7stig_interactive_uid_start | int <= this_item.uid
        vars:
            this_item: "{{ item }}"

      - name: "MEDIUM | RHEL-07-020690 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for interactive users are owned by the home directory user or root."
        ansible.builtin.shell: "{{ find_command_base }} -exec chown {{ this_item.uid }} {} +"
        with_items: "{{ rhel_07_020690_audit.results }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: item is changed  # noqa: no-handler
        vars:
            this_item: "{{ item.item }}"
  vars:
      find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 -type f
              -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*"
              -not -user {{ this_item.uid }} -o -user root'
  when:
      - rhel_07_020690
  tags:
      - RHEL-07-020690
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204474r917821_rule
      - V-204474
      - permissions

- name: "MEDIUM | RHEL-07-020700 | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."
  block:
      - name: "MEDIUM | RHEL-07-020700 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."
        ansible.builtin.shell: "{{ find_command_base }} -print -quit"
        check_mode: false
        changed_when: rhel_07_020700_audit.stdout| length > 0
        register: rhel_07_020700_audit
        with_items:
            - "{{ rhel7stig_passwd }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: rhel7stig_interactive_uid_start | int <= this_item.uid
        vars:
            this_item: "{{ item }}"

      - name: "MEDIUM | RHEL-07-020700 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local initialization files for local interactive users are be group-owned by the users primary group or root."
        ansible.builtin.shell: "{{ find_command_base }} -exec chgrp {{ this_item.gid }} {} +"
        with_items: "{{ rhel_07_020700_audit.results }}"
        loop_control:
            label: "{{ rhel7stig_passwd_label }}"
        when: item is changed  # noqa: no-handler
        vars:
            this_item: "{{ item.item }}"
  vars:
      find_command_base: 'find "{{ this_item.dir }}" -mindepth 1 -type f
              -path "{{ this_item.dir }}/.*" -not -path "{{ this_item.dir }}/.*/*"
              -not -group {{ this_item.gid }} -o -group root'
  when:
      - rhel_07_020700
  tags:
      - RHEL-07-020700
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204475r917824_rule
      - V-204475
      - permissions

- name: "MEDIUM | RHEL-07-020710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files must have mode 0740 or less permissive."
  ansible.builtin.file:
      path: "{{ item }}"
      mode: '0740'
      state: touch
  with_items:
      - "{{ rhel_07_stig_interactive_homedir_inifiles }}"
  when:
      - rhel_07_stig_interactive_homedir_inifiles is defined
      - rhel_07_020710
      - rhel7stig_disruption_high
  tags:
      - RHEL-07-020710
      - CAT2
      - CCI-000366
      - SV-204476r917827_rule
      - V-204476
      - complexity-high

- name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."
  block:
      - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."
        ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath
        with_items: "{{ rhel_07_stig_interactive_homedir_results }}"
        changed_when: false
        failed_when: false
        register: rhel_07_020710_ini_path_grep_list
        when:
            - rhel_07_stig_interactive_homedir_results is defined
            - rhel_07_stig_interactive_homedir_inifiles is defined

      - name: "MEDIUM | RHEL-07-020720 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."
        ansible.builtin.debug:
            msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory.
        with_items:
            - "{{ rhel_07_020710_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}"

      - name: "MEDIUM | RHEL-07-020720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all local interactive user initialization files executable search paths contain only paths that resolve to the users home directory."
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: "^PATH="
            line: "{{ rhel_07_020720_user_path }}"
        with_items:
            - "{{ rhel_07_020710_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}"
        when:
            - rhel7stig_change_user_path
  when:
      - rhel_07_020720
      - rhel7stig_disruption_high
  tags:
      - RHEL-07-020720
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204477r603261_rule
      - V-204477
      - complexity-high

- name: "MEDIUM | RHEL-07-020730 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."
  block:
      # Let's find any progerams with world-writable permissions.
      - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."
        ansible.builtin.shell: find / -xdev -perm -002 -type f -exec ls -ld {} \; | awk '{print $9}'
        failed_when: false
        changed_when: false
        register: rhel_07_020730_perms_results

      - name: "MEDIUM | RHEL-07-020730 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."
        include_tasks: audit_homedirinifiles.yml
        loop:
            - "{{ rhel_07_stig_interactive_homedir_inifiles }}"
        loop_control:
            loop_var: ini_item
        when: rhel_07_020730_perms_results.stdout_lines | length > 0

      - name: "MEDIUM | RHEL-07-020730 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that local initialization files do not execute world-writable programs."
        ansible.builtin.file:
            path: "{{ item }}"
            mode: '0755'
            state: touch
        with_items:
            - "{{ rhel_07_020730_perms_results.stdout_lines }}"
        when:
            - rhel_07_020730_perms_results.stdout_lines is defined
            - rhel_07_020730_wwp_change
  when:
      - rhel_07_020730
      - rhel7stig_disruption_high
      - rhel_07_stig_interactive_homedir_inifiles is defined
  tags:
      - RHEL-07-020730
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204478r603261_rule
      - V-204478
      - complexity-high

- name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."
  ansible.builtin.setup:
      gather_subset: selinux,!min,!all
      filter: ansible_selinux
  when:
      - rhel_07_020900
      - rhel7stig_complex
      - ansible_selinux is not defined
  tags:
      - RHEL-07-020900
      - CAT2
      - CCI-000368
      - CCI-001813
      - CCI-001814
      - CCI-001812
      - CCI-000318
      - SRG-OS-000480-GPOS-00227
      - SV-204479r603261_rule
      - V-204479
      - complexity-high

- name: "MEDIUM | RHEL-07-020900 | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."
  block:
      - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."
        ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -context *:device_t:* -o -context *:unlabeled_t:* -type c -o -type b -printf '%p %Z\n'
        changed_when: false
        check_mode: false
        register: rhel_07_020900_audit

      - name: "MEDIUM | RHEL-07-020900 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all system device files are correctly labeled to prevent unauthorized modification."
        ansible.builtin.debug:
            msg: "{{ rhel_07_020900_audit.stdout_lines }}"
        changed_when: rhel7stig_audit_complex
        when: rhel_07_020900_audit.stdout_lines | length > 0
  when:
      - rhel_07_020900
      - rhel7stig_complex
      - ansible_selinux.status == "enabled"
  tags:
      - RHEL-07-020900
      - CAT2
      - CCI-000368
      - CCI-001813
      - CCI-001814
      - CCI-001812
      - CCI-000318
      - SRG-OS-000480-GPOS-00227
      - SV-204479r603261_rule
      - V-204479
      - complexity-high

- name: "MEDIUM | RHEL-07-021000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that file systems containing user home directories are mounted to prevent files with the setuid and setgid bit set from being executed."
  ansible.posix.mount:
      path: /home
      state: mounted
      src: "{{ home_mount.device }}"
      fstype: "{{ home_mount.fstype }}"
      opts: "{{ home_mount.options }},nosuid"
  vars:
      home_mount: "{{ ansible_mounts | json_query('[?mount == `/home`] | [0]') }}"  # noqa: jinja[invalid]
  when:
      - rhel_07_021000
      - ansible_mounts | selectattr('mount', 'match', '^/home$') | list | length != 0
      - "'nosuid' not in home_mount.options"
  tags:
      - RHEL-07-021000
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204480r603838_rule
      - V-204480

- name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."
  block:
      - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."
        ansible.posix.mount:
            path: /media
            state: mounted
            src: "{{ removable_mount.device }}"
            fstype: "{{ removable_mount.fstype }}"
            opts: "{{ removable_mount.options }},nosuid"
        vars:
            removable_mount: "{{ ansible_mounts | json_query('[?mount == `/media`] | [0]') }}"  # noqa: jinja[invalid]
        when:
            - ansible_mounts | selectattr('mount', 'match', '^/media$') | list | length != 0
            - "'nosuid' not in home_mount.options"

      - name: "MEDIUM | RHEL-07-021010 | AUDIT | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."
        ansible.posix.mount:
            path: /mnt
            state: mounted
            src: "{{ removable_mount2.device }}"
            fstype: "{{ removable_mount2.fstype }}"
            opts: "{{ removable_mount2.options }},nosuid"
        vars:
            removable_mount2: "{{ ansible_mounts | json_query('[?mount == `/mnt`] | [0]') }}"  # noqa: jinja[invalid]
        when:
            - ansible_mounts | selectattr('mount', 'match', '^/mnt$') | list | length != 0
            - "'nosuid' not in home_mount.options"
  when:
      - rhel_07_021010
      - not (rhel7stig_system_is_chroot and rhel7stig_system_is_container)
  tags:
      - RHEL-07-021010
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204481r603261_rule
      - V-204481

- name: "MEDIUM | RHEL-07-021020 | PATCH | The Red Hat Enterprise Linux operating system must prevent files with the setuid and setgid bit set from being executed on file systems that are being imported via Network File System (NFS)."
  ansible.posix.mount:
      path: "{{ item }}"
      src: "{{ ansible_mounts | json_query(device_query) }}"
      fstype: "{{ ansible_mounts | json_query(fstype_query) }}"
      opts: "{{ ansible_mounts | json_query(options_query) }},nosuid"
      state: mounted
  vars:
      device_query: '[?mount == `{{ item }}`] | [0].device'  # noqa: jinja[invalid]
      fstype_query: '[?mount == `{{ item }}`] | [0].fstype'  # noqa: jinja[invalid]
      options_query: '[?mount == `{{ item }}`] | [0].options'  # noqa: jinja[invalid]
  with_items:
      - "{{ rhel7stig_nfs_mounts }}"
  when:
      - rhel_07_021020
      - "'nosuid' not in (ansible_mounts | json_query(options_query))"
  tags:
      - RHEL-07-021020
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204482r603261_rule
      - V-204482
      - mounts

- name: "MEDIUM | RHEL-07-021021 | PATCH | The Red Hat Enterprise Linux operating system must prevent binary files from being executed on file systems that are being imported via Network File System (NFS)."
  ansible.posix.mount:
      path: "{{ item }}"
      src: "{{ ansible_mounts | json_query(device_query) }}"
      fstype: "{{ ansible_mounts | json_query(fstype_query) }}"
      opts: "{{ ansible_mounts | json_query(options_query) }},noexec"
      state: mounted
  vars:
      device_query: '[?mount == `{{ item }}`] | [0].device'  # noqa: jinja[invalid]
      fstype_query: '[?mount == `{{ item }}`] | [0].fstype'  # noqa: jinja[invalid]
      options_query: '[?mount == `{{ item }}`] | [0].options'  # noqa: jinja[invalid]
  with_items:
      - "{{ rhel7stig_nfs_mounts }}"
  when:
      - rhel_07_021021
      - "'noexec' not in (ansible_mounts | json_query(options_query))"
  tags:
      - RHEL-07-021021
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204483r603261_rule
      - V-204483
      - mounts

- name: "MEDIUM | RHEL-07-021030 | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."
  block:
      - name: "MEDIUM | RHEL-07-021030 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."
        ansible.builtin.shell: find {{ rhel7stig_local_mounts | join(' ') }} -xdev -type d -perm -002 -gid +999
        changed_when: rhel_07_021030_audit.stdout != ""
        check_mode: false
        register: rhel_07_021030_audit

      - name: "MEDIUM | RHEL-07-021030 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are group-owned by root, sys, bin, or an application group."
        ansible.builtin.file:
            path: "{{ item }}"
            group: root
        check_mode: "{{ rhel7stig_disruptive_check_mode }}"
        with_items:
            - "{{ rhel_07_021030_audit.stdout_lines }}"
  when:
      - rhel_07_021030
      - rhel7stig_disruptive
  tags:
      - RHEL-07-021030
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204487r744106_rule
      - V-204487
      - disruption-high

- name: "MEDIUM | RHEL-07-021040 | PATCH | The Red Hat Enterprise Linux operating system must set the umask value to 077 for all local interactive user accounts."
  ansible.builtin.file:
      path: "{{ item }}"
      mode: '077'
      state: touch
  changed_when: false
  with_items:
      - "{{ rhel_07_stig_interactive_homedir_inifiles }}"
  when:
      - rhel_07_021040
      - rhel_07_stig_interactive_homedir_inifiles is defined
  tags:
      - RHEL-07-021040
      - CAT2
      - CCI-000318
      - CCI-000368
      - CCI-001813
      - CCI-001814
      - CCI-001812
      - SRG-OS-000480-GPOS-00227
      - SV-204488r861006_rule
      - V-204488
      - permissions
      - accounts

- name: "MEDIUM | RHEL-07-021100 | PATCH | The Red Hat Enterprise Linux operating system must have cron logging implemented."
  ansible.builtin.lineinfile:
      path: /etc/rsyslog.conf
      regexp: '^cron\.\*[ \t]+/var/log/cron$'
      line: 'cron.*                                                  /var/log/cron'
      insertafter: '#### RULES ####'
      state: present
  failed_when:
      - result is failed
      - result.rc != 257
  register: result
  when:
      - rhel_07_021100
  tags:
      - RHEL-07-021100
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204489r603261_rule
      - V-204489
      - cron

- name: |
      MEDIUM | RHEL-07-021110 | The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is owned by root.
      MEDIUM | RHEL-07-021120 | The Red Hat Enterprise Linux operating system must be configured so that the cron.allow file, if it exists, is group-owned by root.
  block:
      - name: "MEDIUM | RHEL-07-021110, RHEL-07-021120 | PATCH | Check if cron.allow file exists"
        ansible.builtin.stat:
            path: /etc/cron.allow
        register: cron_allow_file_check

      - name: "MEDIUM | RHEL-07-021110, RHEL-07-021120 | PATCH | Set cron.allow file owner and group-owner to root"
        ansible.builtin.file:
            dest: /etc/cron.allow
            state: file
            owner: root
            group: root
            mode: 0600
        when: cron_allow_file_check.stat.exists
  when:
      - rhel_07_021110
      - rhel_07_021120
  tags:
      - CAT2
      - RHEL-07-021110
      - CCI-000366
      - SV-204490r603261_rule
      - V-204490
      - RHEL-07-021120
      - SV-204491r603261_rule
      - V-204491
      - cron

- name: "MEDIUM | RHEL-07-021300 | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
  block:
      - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
        ansible.builtin.shell: "systemctl show kdump | grep LoadState | cut -d = -f 2"
        register: rhel_07_021300_kdump_service_status
        changed_when: false
        check_mode: false

      - name: "MEDIUM | RHEL-07-021300 | PATCH | The Red Hat Enterprise Linux operating system must disable Kernel core dumps unless needed."
        ansible.builtin.service:
            name: kdump
            enabled: false
            state: stopped
        when:
            - rhel_07_021300_kdump_service_status.stdout == "loaded"
            - not rhel7stig_kdump_required
  when:
      - rhel_07_021300
  tags:
      - RHEL-07-021300
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204492r603261_rule
      - V-204492
      - logging

- name: "MEDIUM | RHEL-07-021620 | The Red Hat Enterprise Linux operating system must use a file integrity tool that is configured to use FIPS 140-2 approved cryptographic hashes for validating file contents and directories."
  block:
      - name: "Replace sha256+sha512 entries with sha512"
        ansible.builtin.replace:
            path: /etc/aide.conf
            regexp: '([A-Z]+ = .*)(sha256\+sha512)(.*)'
            replace: '\1sha512\3'
        register: rhel_07_021620_sha256_512_result
        notify: "{{ rhel7stig_aide_handler }}"

      - name: "Replace sha256 entries with sha512"
        ansible.builtin.replace:
            path: /etc/aide.conf
            regexp: '([A-Z]+ = .*)(sha256)(.*)'
            replace: '\1sha512\3'
        register: rhel_07_021620_sha256_result
        notify: "{{ rhel7stig_aide_handler }}"
  when:
      - rhel_07_021620
  tags:
      - RHEL-07-021620
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204500r880860_rule
      - V-204500
      - aide

- name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."
  block:
      # Let's see what is configured in grub.
      - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."
        ansible.builtin.shell: grep -o "set root=.*" "{{ rhel7stig_bootloader_path }}" | grep -v "{{ rhel7stig_grub_bootloader_validorder }}" | uniq
        register: rhel7stig_grub_cfg_mediacheck
        changed_when: false
        failed_when: false

      # Report on the bootloader list
      - name: "MEDIUM | RHEL-07-021700 | AUDIT | The Red Hat Enterprise Linux operating system must not allow removable media to be used as the boot loader unless approved."
        ansible.builtin.debug:
            msg: "Warning!! The grub2 bootloader potentially has some invalid entries that contain {{ item }}"
        changed_when: true
        with_items:
            - "{{ rhel7stig_grub_cfg_mediacheck.stdout }}"
        when: rhel7stig_grub_cfg_mediacheck.stdout | length > 0
  when:
      - rhel_07_021700
      - not rhel7stig_system_is_chroot
      - not rhel7stig_system_is_container
  tags:
      - RHEL-07-021700
      - CAT2
      - CCI-00036
      - CCI-001812
      - CCI-001814
      - CCI-001813
      - CCI-000318
      - SRG-OS-000364-GPOS-00151
      - SV-204501r603261_rule
      - V-204501
      - grub
      - bootloader

######################
####### 030000 #######
######################

- name: "MEDIUM | RHEL-07-030000 | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."
  block:
      - name: "MEDIUM | RHEL-07-030000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."
        ansible.builtin.package:
            name: audit
            state: present
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when:
            - "'audit' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-030000 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that auditing is configured to produce records containing information to establish what type of events occurred, where the events occurred, the source of the events, and the outcome of the events. These audit records must also identify individual identities of group account users."
        ansible.builtin.service:
            name: auditd
            state: "{{ rhel7stig_service_started }}"
            enabled: true
        when:
            - not rhel7stig_system_is_container
  when:
      - rhel_07_030000
  tags:
      - RHEL-07-030000
      - CAT2
      - CCI-000126
      - CCI-000131
      - SRG-OS-000038-GPOS-00016
      - SV-204503r603261_rule
      - V-204503
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030010 | PATCH | The Red Hat Enterprise Linux operating system must shut down upon audit processing failure, unless availability is an overriding concern. If availability is a concern, the system must alert the designated staff (System Administrator [SA] and Information System Security Officer [ISSO] at a minimum) in the event of an audit processing failure."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: "^-f "
      line: "-f {{ rhel7stig_auditd_failure_flag }}"
  notify: update running audit failure mode
  when:
      - rhel_07_030010
  tags:
      - RHEL-07-030010
      - CAT2
      - CCI-000139
      - SRG-OS-000046-GPOS-00022
      - SV-204504r880761_rule
      - V-204504
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030201 | PATCH | The Red Hat Enterprise Linux operating system must be configured to off-load audit logs onto a different system or storage media from the system being audited."
  ansible.builtin.lineinfile:
      path: /etc/audisp/plugins.d/au-remote.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      create: true
      mode: 0640
  notify: restart auditd
  with_items:
      - { regexp: '^active =', line: 'active = yes'}
      - { regexp: '^direction =', line: 'direction = out' }
      - { regexp: '^path =', line: 'path = /sbin/audisp-remote' }
      - { regexp: '^type =', line: 'type = always' }
      - { regexp: '^format =', line: 'format = string' }
  when:
      - rhel_07_030201
  tags:
      - RHEL-07-030201
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-204506r603261_rule
      - V-204506
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030210 | PATCH | The Red Hat Enterprise Linux operating system must take appropriate action when the remote logging buffer is full."
  ansible.builtin.lineinfile:
      path: /etc/audisp/audispd.conf
      regexp: '^overflow_action ='
      line: "overflow_action = syslog"
  notify: restart auditd
  when:
      - rhel_07_030210
  tags:
      - RHEL-07-030210
      - CAT2
      - CCI-001851
      - SV-204507r603261_rule
      - V-204507
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030211 | PATCH | The Red Hat Enterprise Linux operating system must label all off-loaded audit logs before sending them to the central log server."
  ansible.builtin.lineinfile:
      path: /etc/audisp/audispd.conf
      regexp: '^name_format ='
      line: name_format = hostname
  notify: restart auditd
  when:
      - rhel_07_030211
  tags:
      - RHEL-07-030211
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-204508r603261_rule
      - V-204508
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030300 | PATCH | The Red Hat Enterprise Linux operating system must off-load audit records onto a different system or media from the system being audited."
  ansible.builtin.lineinfile:
      path: /etc/audisp/audisp-remote.conf
      regexp: ^remote_server *=
      line: remote_server = {{ rhel7stig_audisp_remote_server }}
  when:
      - rhel_07_030300
      - rhel7stig_audisp_remote_server
  tags:
      - RHEL-07-030300
      - CAT2
      - CCI-001851
      - SV-204509r603261_rule
      - V-204509
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030310 | PATCH | The Red Hat Enterprise Linux operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."
  ansible.builtin.lineinfile:
      path: /etc/audisp/audisp-remote.conf
      regexp: ^enable_krb5 +=
      line: enable_krb5 = yes
  when:
      - rhel_07_030310
  tags:
      - RHEL-07-030310
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-204510r603261_rule
      - V-204510
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when the audit storage volume is full."
  ansible.builtin.lineinfile:
      path: /etc/audisp/audisp-remote.conf
      regexp: ^disk_full_action +=
      line: "disk_full_action = {{ rhel7stig_audisp_disk_full_action }}"
  when:
      - rhel_07_030320
  tags:
      - RHEL-07-030320
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-204511r603261_rule
      - V-204511
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030321 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the audit system takes appropriate action when there is an error sending audit records to a remote system."
  ansible.builtin.lineinfile:
      path: /etc/audisp/audisp-remote.conf
      regexp: ^network_failure_action +=
      line: "network_failure_action = {{ rhel7stig_audisp_network_failure_action }}"
  when:
      - rhel_07_030321
  tags:
      - RHEL-07-030321
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-204512r603261_rule
      - V-204512
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030330 | PATCH | The Red Hat Enterprise Linux operating system must initiate an action to notify the System Administrator (SA) and Information System Security Officer ISSO, at a minimum, when allocated audit record storage volume reaches 75% of the repository maximum audit record storage capacity."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: ^space_left +=
      line: "space_left = {{ [rhel7stig_auditd_space_left | int, 51] | max }}"
  when:
      - rhel_07_030330
  tags:
      - RHEL-07-030330
      - CAT2
      - CCI-001855
      - SRG-OS-000343-GPOS-00134
      - SV-204513r603261_rule
      - V-204513
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030340 | PATCH | The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) via email when the threshold for the repository maximum audit record storage capacity is reached."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: ^space_left_action +=
      line: "space_left_action = email"
  failed_when:
      - rhel7stig_auditd_space_left_action_result is failed
      - rhel7stig_auditd_space_left_action_result.rc != 257
  register: rhel7stig_auditd_space_left_action_result
  when:
      - rhel_07_030340
  tags:
      - RHEL-07-030340
      - CAT2
      - CCI-001855
      - SRG-OS-000343-GPOS-00134
      - SV-204513r744112_rule
      - V-204514
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030350 | PATCH | The Red Hat Enterprise Linux operating system must immediately notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when the threshold for the repository maximum audit record storage capacity is reached."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: ^action_mail_acct +=
      line: "action_mail_acct = {{ rhel7stig_auditd_mail_acct }}"
  failed_when:
      - rhel7stig_auditd_action_mail_acct_result is failed
      - rhel7stig_auditd_action_mail_acct_result.rc != 257
  register: rhel7stig_auditd_action_mail_acct_result
  when:
      - rhel_07_030350
  tags:
      - RHEL-07-030350
      - CAT2
      - CCI-001855
      - SRG-OS-000343-GPOS-00134
      - SV-204515r603261_rule
      - V-204515
      - auditd
      - logging

- name: "MEDIUM | RHEL-07-030360 | PATCH | The Red Hat Enterprise Linux operating system must audit all executions of privileged functions."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030360
  tags:
      - RHEL-07-030360
      - CAT2
      - CCI-002234
      - SRG-OS-000327-GPOS-00127
      - SV-204516r603261_rule
      - V-204516
      - auditd

- name: "MEDIUM | RHEL-07-030370 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chown, fchown, fchownat, and lchown syscalls."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030370
  tags:
      - RHEL-07-030370
      - CAT2
      - CCI-000126
      - SRG-OS-000064-GPOS-00033
      - SV-204517r809570_rule
      - V-204517
      - auditd

- name: "MEDIUM | RHEL-07-030410 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030410
  tags:
      - RHEL-07-030410
      - CAT2
      - CCI-000172
      - SRG-OS-000458-GPOS-00203
      - SV-204521r809772_rule
      - V-204521
      - auditd

- name: "MEDIUM | RHEL-07-030440 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chmod, fchmod, and fchmodat syscalls."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030440
  tags:
      - RHEL-07-030440
      - CAT2
      - CCI-000172
      - SRG-OS-000458-GPOS-00203
      - SV-204524r809775_rule
      - V-204524
      - auditd

- name: "MEDIUM | RHEL-07-030510 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the creat, open, openat, open_by_handle_at, truncate, and ftruncate syscalls."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030510
  tags:
      - RHEL-07-030510
      - CAT2
      - CCI-000172
      - SRG-OS-000064-GPOS-00033
      - SV-204531r809815_rule
      - V-204531
      - auditd

- name: "MEDIUM | RHEL-07-030560 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the semanage command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030560
  tags:
      - RHEL-07-030560
      - CAT2
      - CCI-000172
      - SRG-OS-000392-GPOS-00172
      - SV-204536r833109_rule
      - V-204536
      - auditd

- name: "MEDIUM | RHEL-07-030570 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setsebool command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030570
  tags:
      - RHEL-07-030570
      - CAT2
      - CCI-000172
      - SRG-OS-000392-GPOS-00172
      - SV-204537r833112_rule
      - V-204537
      - auditd

- name: "MEDIUM | RHEL-07-030580 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chcon command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030580
  tags:
      - RHEL-07-030580
      - CAT2
      - CCI-000172
      - SRG-OS-000392-GPOS-00172
      - SV-204538r833115_rule
      - V-204538
      - auditd

- name: "MEDIUM | RHEL-07-030590 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the setfiles command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030590
  tags:
      - RHEL-07-030590
      - CAT2
      - CCI-000172
      - SRG-OS-000392-GPOS-00172
      - SV-204539r833118_rule
      - V-204539
      - auditd

- name: "MEDIUM | RHEL-07-030610 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all unsuccessful account access events."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030610
  tags:
      - RHEL-07-030610
      - CAT2
      - CCI-000126
      - CCI-000172
      - CCI-002884
      - SRG-OS-000392-GPOS-00172
      - SV-204540r603261_rule
      - V-204540
      - auditd

- name: "MEDIUM | RHEL-07-030620 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all successful account access events."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030620
  tags:
      - RHEL-07-030620
      - CAT2
      - CCI-000126
      - CCI-000172
      - CCI-002884
      - SRG-OS-000392-GPOS-00172
      - SV-204541r603261_rule
      - V-204541
      - auditd

- name: "MEDIUM | RHEL-07-030630 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the passwd command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030630
  tags:
      - RHEL-07-030630
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204542r833121_rule
      - V-204542
      - auditd

- name: "MEDIUM | RHEL-07-030640 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unix_chkpwd command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030640
  tags:
      - RHEL-07-030640
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204543r833124_rule
      - V-204543
      - auditd

- name: "MEDIUM | RHEL-07-030650 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the gpasswd command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030650
  tags:
      - RHEL-07-030650
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204544r833127_rule
      - V-204544
      - auditd

- name: "MEDIUM | RHEL-07-030660 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chage command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030660
  tags:
      - RHEL-07-030660
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204545r833130_rule
      - V-204545
      - auditd

- name: "MEDIUM | RHEL-07-030670 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the userhelper command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030670
  tags:
      - RHEL-07-030670
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204546r833133_rule
      - V-204546
      - auditd

- name: "MEDIUM | RHEL-07-030680 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the su command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030680
  tags:
      - RHEL-07-030680
      - CAT2
      - CCI-000130
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000037-GPOS-00015
      - SV-204547r833136_rule
      - V-204547
      - auditd

- name: "MEDIUM | RHEL-07-030690 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030690
  tags:
      - RHEL-07-030690
      - CAT2
      - CCI-000130
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000037-GPOS-00015
      - SV-204548r833139_rule
      - V-204548
      - auditd

- name: "MEDIUM | RHEL-07-030700 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the sudo command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030700
  tags:
      - RHEL-07-030700
      - CAT2
      - CCI-000130
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000037-GPOS-00015
      - SV-204549r603261_rule
      - V-204549
      - auditd

- name: "MEDIUM | RHEL-07-030710 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the newgrp command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030710
  tags:
      - RHEL-07-030710
      - CAT2
      - CCI-000130
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000037-GPOS-00015
      - SV-204550r833142_rule
      - V-204550
      - auditd

- name: "MEDIUM | RHEL-07-030720 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the chsh command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030720
  tags:
      - RHEL-07-030720
      - CAT2
      - CCI-000130
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000037-GPOS-00015
      - SV-204551r833145_rule
      - V-204551
      - auditd

- name: "MEDIUM | RHEL-07-030740 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the mount command and syscall."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030740
  tags:
      - RHEL-07-030740
      - CAT2
      - CCI-000135
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204552r833148_rule
      - V-204552
      - auditd

- name: "MEDIUM | RHEL-07-030750 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the umount command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030750
  tags:
      - RHEL-07-030750
      - CAT2
      - CCI-000135
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204553r833151_rule
      - V-204553
      - auditd

- name: "MEDIUM | RHEL-07-030760 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postdrop command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030760
  tags:
      - RHEL-07-030760
      - CAT2
      - CCI-000135
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204554r833154_rule
      - V-204554
      - auditd

- name: "MEDIUM | RHEL-07-030770 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the postqueue command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030770
  tags:
      - RHEL-07-030770
      - CAT2
      - CCI-000135
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204555r833157_rule
      - V-204555
      - auditd

- name: "MEDIUM | RHEL-07-030780 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the ssh-keysign command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030780
  tags:
      - RHEL-07-030780
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204556r833160_rule
      - V-204556
      - auditd

- name: "MEDIUM | RHEL-07-030800 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the crontab command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030800
  tags:
      - RHEL-07-030800
      - CAT2
      - CCI-000135
      - CCI-000172
      - CCI-002884
      - SRG-OS-000042-GPOS-00020
      - SV-204557r833163_rule
      - V-204557
      - auditd

- name: "MEDIUM | RHEL-07-030810 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the pam_timestamp_check command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030810
  tags:
      - RHEL-07-030810
      - CAT2
      - CCI-000172
      - SRG-OS-000471-GPOS-00215
      - SV-204558r833166_rule
      - V-204558
      - auditd

- name: "MEDIUM | RHEL-07-030819 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the create_module syscall."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030819
  tags:
      - RHEL-07-030819
      - CAT2
      - CCI-000172
      - SRG-OS-000471-GPOS-00216
      - SV-204559r833169_rule
      - V-204559
      - auditd

- name: "MEDIUM | RHEL-07-030820 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the init_module and finit_module syscall."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030820
  tags:
      - RHEL-07-030820
      - CAT2
      - CCI-000172
      - SRG-OS-000471-GPOS-00216
      - SV-204560r833172_rule
      - V-204560
      - auditd

- name: "MEDIUM | RHEL-07-030830 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the delete_module syscall."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030830
  tags:
      - RHEL-07-030830
      - CAT2
      - CCI-000172
      - SRG-OS-000471-GPOS-00216
      - SV-204562r833175_rule
      - V-204562
      - auditd

- name: "MEDIUM | RHEL-07-030840 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the kmod command."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030840
  tags:
      - RHEL-07-030840
      - CAT2
      - CCI-000172
      - SRG-OS-000471-GPOS-00216
      - SV-204563r858498_rule
      - V-204563
      - auditd

- name: "MEDIUM | RHEL-07-030870 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030870
  tags:
      - RHEL-07-030870
      - CAT2
      - CCI-000018
      - CCI-000172
      - CCI-001403
      - CCI-002130
      - SRG-OS-000004-GPOS-00004
      - SV-204564r603261_rule
      - V-204564
      - auditd

- name: "MEDIUM | RHEL-07-030871 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030871
  tags:
      - RHEL-07-030871
      - CAT2
      - CCI-000018
      - CCI-000172
      - CCI-001403
      - CCI-002130
      - SRG-OS-000004-GPOS-00004
      - SV-204565r603261_rule
      - V-204565
      - auditd

- name: "MEDIUM | RHEL-07-030872 | PATCH | he Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030872
  tags:
      - RHEL-07-030872
      - CAT2
      - CCI-000018
      - CCI-000172
      - CCI-001403
      - CCI-002130
      - SRG-OS-000004-GPOS-00004
      - SV-204566r603261_rule
      - V-204566
      - auditd

- name: "MEDIUM | RHEL-07-030873 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030873
  tags:
      - RHEL-07-030873
      - CAT2
      - CCI-000018
      - CCI-000172
      - CCI-001403
      - CCI-002130
      - SRG-OS-000004-GPOS-00004
      - SV-204567r603261_rule
      - V-204567
      - auditd

- name: "MEDIUM | RHEL-07-030874 | PATCH | The Red Hat Enterprise Linux operating system must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030874
  tags:
      - RHEL-07-030874
      - CAT2
      - CCI-000018
      - CCI-000172
      - CCI-001403
      - CCI-002130
      - SRG-OS-000004-GPOS-00004
      - SV-204568r603261_rule
      - V-204568
      - auditd

- name: "MEDIUM | RHEL-07-030910 | PATCH | The Red Hat Enterprise Linux operating system must audit all uses of the unlink, unlinkat, rename, renameat, and rmdir syscalls"
  ansible.builtin.set_fact:
      update_audit_template: true
  when:
      - rhel_07_030910
  tags:
      - RHEL-07-030910
      - CAT2
      - CCI-000018
      - CCI-000172
      - CCI-001403
      - CCI-002130
      - SRG-OS-000466-GPOS-00210
      - SV-204572r809825_rule
      - V-204572
      - auditd

- name: "MEDIUM | RHEL-07-031000 | PATCH | The Red Hat Enterprise Linux operating system must send rsyslog output to a log aggregation server."
  ansible.builtin.blockinfile:
      path: /etc/rsyslog.conf
      state: present
      block: |
          $ActionQueueFileName rhel-07-031000  # unique name prefix for spool files
          $ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)
          $ActionQueueSaveOnShutdown on  # save messages to disk on shutdown
          $ActionQueueType LinkedList    # run asynchronously
          $ActionResumeRetryCount -1     # infinite retries if host is down
          # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
          *.* {{ rhel7stig_log_aggregation_port }}{{ rhel7stig_log_aggregation_server }}
      insertafter: EOF
  failed_when:
      - result is failed
      - result.rc != 257
  register: result
  when:
      - rhel_07_031000
      - rhel7stig_log_aggregation_server is defined
  tags:
      - RHEL-07-031000
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204574r917830_rule
      - V-204574
      - rsyslog

- name: "MEDIUM | RHEL-07-031010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the rsyslog daemon does not accept log messages from other servers unless the server is being used for log aggregation."
  ansible.builtin.replace:
      path: /etc/rsyslog.conf
      regexp: '({{ item }})'
      replace: '# \1'
  with_items:
      - '^(\$ModLoad imtcp)'
      - '^(\$ModLoad imudp)'
      - '^(\$ModLoad imrelp)'
      # - '^(\$UDPServerRun)'
      # - '^(\$InputTCPServerRun)'
  failed_when:
      - result is failed
      - result.rc != 257
  register: result
  when:
      - rhel_07_031010
      - not rhel7stig_system_is_log_aggregator
  tags:
      - RHEL-07-031010
      - CAT2
      - CCI-000318
      - CCI-001812
      - CCI-001814
      - CCI-001813
      - CCI-000368
      - SRG-OS-000480-GPOS-00227
      - SV-204575r603261_rule
      - V-204575
      - rsyslog

#######################
######## 040000 #######
#######################

- name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
  block:
      - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
        block:
            - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
              ansible.builtin.shell: for p in `firewall-cmd --list-services`; do firewall-cmd --permanent --service $p --get-ports | grep -Ev '{{ rhel7stig_firewall_ports_protocols | flatten | join('|') }}'; done;
              changed_when: false
              failed_when: false
              check_mode: false
              register: rhel7stig_ppsm_clsa_check_firewalld
              when: rhel7stig_firewall_ports_protocols is defined

            - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
              ansible.builtin.debug:
                  msg: "Warning!! Firewalld is accepting the following port/protocols that are not in the accepted list: {{ item }}."
              changed_when: false
              with_items: "{{ rhel7stig_ppsm_clsa_check_firewalld.stdout }}"
              when:
                  - rhel7stig_ppsm_clsa_check_firewalld.stdout_lines is defined
                  - rhel7stig_ppsm_clsa_check_firewalld.stdout_lines | length > 0
        when:
            - rhel7stig_firewall_service == "firewalld"
            - rhel7stig_start_firewall_service

      - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
        block:
            - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
              ansible.builtin.shell: iptables-save | grep -i accept | grep -i input
              changed_when: false
              failed_when: false
              check_mode: false
              register: rhel7stig_PPSM_CLSA_check_iptables  # noqa var-naming

            - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
              ansible.builtin.debug:
                  msg: "The following task output is what iptables is accepting on service ports to {{ ansible_hostname }}."
              changed_when: true
              when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined

            - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
              ansible.builtin.debug:
                  var: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines  # noqa var-naming
              changed_when: true
              when: rhel7stig_PPSM_CLSA_check_iptables.stdout_lines is defined
        when:
            - rhel7stig_firewall_service == "iptables"
            - rhel7stig_start_firewall_service

      - name: "MEDIUM | RHEL-07-040100 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
        ansible.builtin.debug:
            msg: "Your configured firewall service is {{ rhel7stig_firewall_service }}, but you have set the variable rhel7stig_start_firewall_service to false. We cannot audit control RHEL-07-040100 - The Red Hat Enterprise Linux operating system must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management Component Local Service Assessment (PPSM CLSA) and vulnerability assessments."
        changed_when: true
        when: not rhel7stig_start_firewall_service
  when:
      - rhel_07_040100
      - not rhel7stig_system_is_chroot
      - not rhel7stig_system_is_container
      - rhel7stig_disruptive
  tags:
      - RHEL-07-040100
      - CAT2
      - CCI-000382
      - SRG-OS-000096-GPOS-00050
      - SV-204577r603261_rule
      - V-204577
      - firewall
      - disruption-high

- name: "MEDIUM | RHEL-07-040110 | PATCH | The Red Hat Enterprise Linux 7 operating system must implement DoD-approved encryption to protect the confidentiality of SSH connections."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?Ciphers"
      line: "Ciphers {{ rhel7stig_ssh_ciphers }}"
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040110
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040110
      - CAT2
      - CCI-000366
      - CCI-000803
      - CCI-000068
      - SRG-OS-000033-GPOS-00014
      - SV-204578r744116_rule
      - V-204578
      - ssh

- name: "MEDIUM | RHEL-07-040160 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with a communication session are terminated at the end of the session or after 15 minutes of inactivity from the user at a command prompt, except to fulfill documented and validated mission requirements."
  ansible.builtin.blockinfile:
      create: true
      mode: 0644
      dest: "{{ item.dest }}"
      state: "{{ item.state }}"
      marker: "# {mark} ANSIBLE MANAGED"
      block: |
        # Set session timeout - STIG ID RHEL-07-040160
        declare -xr TMOUT={{ rhel7stig_shell_session_timeout.timeout }}
  with_items:
      - dest: "{{ rhel7stig_shell_session_timeout.file }}"
        state: present
      - dest: /etc/profile
        state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/profile') | ternary('present', 'absent') }}"
      - dest: /etc/bashrc
        state: "{{ (rhel7stig_shell_session_timeout.file == '/etc/bashrc') | ternary('present', 'absent') }}"
  when:
      - rhel_07_040160
  tags:
      - RHEL-07-040160
      - CAT2
      - CCI-001133
      - CCI-002361
      - SRG-OS-000163-GPOS-00072
      - SV-204579r861070_rule
      - V-204579
      - profile

- name: "MEDIUM | RHEL-07-040170 | PATCH | The Red Hat Enterprise Linux operating system must display the Standard Mandatory DoD Notice and Consent Banner immediately prior to, or as part of, remote access logon prompts."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?Banner"
      line: Banner /etc/issue
      validate: /usr/sbin/sshd -tf %s
  notify: restart sshd
  when:
      - rhel_07_040170
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040170
      - CAT2
      - CCI-001384
      - CCI-001385
      - CCI-001386
      - CCI-001387
      - CCI-001388
      - CCI-000048
      - CCI-000050
      - SRG-OS-000023-GPOS-00006
      - SV-204580r603261_rule
      - V-204580
      - ssh
      - dod_logon_banner

- name: |
    "MEDIUM | RHEL-07-040180 | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
    "MEDIUM | RHEL-07-040190 | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
    "MEDIUM | RHEL-07-040200 | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
  block:
      - name: |
          "MEDIUM | RHEL-07-040180 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
          "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
          "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
        ansible.builtin.shell: systemctl status sssd.service | grep "Active" | cut -d ':' -f1 | tr " " "\n" | sed '/^$/d'
        check_mode: false
        failed_when: false
        changed_when: false
        register: rhel_07_040180_audit

      - name: |
          "MEDIUM | RHEL-07-040180 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
          "MEDIUM | RHEL-07-040190 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
          "MEDIUM | RHEL-07-040200 | AUDIT | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
        ansible.builtin.stat:
            path: /etc/sssd/sssd.conf
        changed_when: false
        register: rhel_07_040180_ldapconf_audit
        when: rhel_07_040180_audit.stdout == "Active"

      - name: |
          "MEDIUM | RHEL-07-040180 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) authentication communications."
          "MEDIUM | RHEL-07-040190 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
          "MEDIUM | RHEL-07-040200 | PATCH | The Red Hat Enterprise Linux operating system must implement cryptography to protect the integrity of Lightweight Directory Access Protocol (LDAP) communications."
        ansible.builtin.blockinfile:
            block: |
                ldap_id_use_start_tls = true
                ldap_tls_reqcert = demand
                ldap_tls_cacert = "{{ rhel_07_040200_cabundle_path }}"
            path: /etc/sssd/sssd.conf
            insertafter: "^ldap_search_base*"
            create: true
            mode: 0600
        when: rhel_07_040180_audit.stdout == "Active"
  when:
      - rhel_07_040180 or
        rhel_07_040190 or
        rhel_07_040200
  tags:
      - CAT2
      - RHEL-07-040180
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-204581r603261_rule
      - V-204581
      - RHEL-07-040190
      - SV-204582r603261_rule
      - V-204582
      - RHEL-07-040200
      - SV-204583r603261_rule
      - V-204583
      - ldap

- name: "MEDIUM | RHEL-07-040201 | PATCH | The Red Hat Enterprise Linux operating system must implement virtual address space randomization."
  sysctl:
      name: kernel.randomize_va_space
      value: '2'
      state: present
      reload: "{{ rhel7stig_sysctl_reload }}"
      sysctl_set: true
      ignoreerrors: true
  when:
      - rhel_07_040201
  tags:
      - RHEL-07-040201
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204584r880794_rule
      - V-204584
      - sysctl

- name: "MEDIUM | RHEL-07-040300 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all networked systems have SSH installed."
  ansible.builtin.package:
      name:
          - openssh-clients
          - openssh-server
      state: present
  vars:
      ansible_python_interpreter: "{{ python2_bin }}"
  when:
      - rhel_07_040300
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040300
      - CAT2
      - CCI-002422
      - CCI-002418
      - CCI-002420
      - CCI-002421
      - SRG-OS-000423-GPOS-00187
      - SV-204585r916422_rule
      - V-204585
      - ssh

- name: "MEDIUM | RHEL-07-040310 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all networked systems use SSH for confidentiality and integrity of transmitted and received information as well as information during preparation for transmission."
  ansible.builtin.service:
      name: sshd
      state: "{{ rhel7stig_service_started }}"
      enabled: true
  when:
      - rhel_07_040310
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040310
      - CAT2
      - CCI-002418
      - CCI-002420
      - CCI-002421
      - CCI-002422
      - SRG-OS-000423-GPOS-00187
      - SV-204585r916422_rule
      - V-204586
      - ssh

- name: "MEDIUM | RHEL-07-040320 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?ClientAliveInterval"
      line: ClientAliveInterval {{ rhel7stig_ssh_session_timeout }}
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040320
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040320
      - CAT2
      - CCI-001133
      - CCI-002361
      - SRG-OS-000163-GPOS-00072
      - SV-204587r917833_rule
      - V-204587
      - ssh

- name: "MEDIUM | RHEL-07-040330 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using RSA rhosts authentication."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?RhostsRSAAuthentication"
      line: RhostsRSAAuthentication no
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040330
      - rhel7stig_ssh_required
      - ansible_distribution_version is not version_compare('7.4', '>=')
  tags:
      - RHEL-07-040330
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204588r603261_rule
      - V-204588
      - ssh

- name: "MEDIUM | RHEL-07-040340 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all network connections associated with SSH traffic terminate after a period of inactivity."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?ClientAliveCountMax"
      line: ClientAliveCountMax 0
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040340
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040340
      - CAT2
      - CCI-001133
      - CCI-002361
      - SRG-OS-000163-GPOS-00072
      - SV-204589r917836_rule
      - V-204589
      - ssh

- name: "MEDIUM | RHEL-07-040350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?\s*IgnoreRhosts'
      line: IgnoreRhosts yes
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040350
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040350
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204590r603261_rule
      - V-204590
      - ssh

- name: "MEDIUM | RHEL-07-040360 | PATCH | The Red Hat Enterprise Linux operating system must display the date and time of the last successful account logon upon an SSH logon."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?PrintLastLog"
      line: PrintLastLog yes
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040360
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040360
      - CAT2
      - CCI-000052
      - SRG-OS-000480-GPOS-00227
      - SV-204591r858477_rule
      - V-204591
      - ssh

- name: "MEDIUM | RHEL-07-040370 | PATCH | The Red Hat Enterprise Linux operating system must not permit direct logons to the root account using remote access via SSH."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?PermitRootLogin"
      line: PermitRootLogin no
      insertafter: '(?i)^#?authentication'
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040370
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040370
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204592r603261_rule
      - V-204592
      - ssh

- name: "MEDIUM | RHEL-07-040380 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using known hosts authentication."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?IgnoreUserKnownHosts"
      line: IgnoreUserKnownHosts yes
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040380
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040380
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204593r603261_rule
      - V-204593
      - ssh

- name: "MEDIUM | RHEL-07-040400 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon is configured to only use Message Authentication Codes (MACs) employing FIPS 140-2 approved cryptographic hash algorithms."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?MACs"
      line: "MACs {{ rhel7stig_ssh_macs }}"
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040400
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040400
      - CAT2
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-204595r744117_rule
      - V-204595
      - ssh

- name: "MEDIUM | RHEL-07-040410 | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."
  block:
      - name: "MEDIUM | RHEL-07-040410 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."
        ansible.builtin.find:
            paths: /etc/ssh
            recurse: true
            file_type: file
            patterns: 'ssh_host*_key.pub'
            hidden: true
        failed_when: false
        changed_when: false
        register: rhel_07_040410_audit

      - name: "MEDIUM | RHEL-07-040410 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH public host key files have mode 0644 or less permissive."
        ansible.builtin.file:
            dest: "{{ item.path }}"
            mode: a-stx,go-w
            state: file
        with_items: "{{ rhel_07_040410_audit.files | default([]) }}"
  when:
      - rhel_07_040410
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040410
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204596r603261_rule
      - V-204596
      - ssh

- name: "MEDIUM | RHEL-07-040420 | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."
  block:
      - name: "MEDIUM | RHEL-07-040420 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."
        ansible.builtin.find:
            paths: /etc/ssh
            recurse: true
            file_type: file
            patterns: 'ssh_host*_key'
            hidden: true
        changed_when: false
        failed_when: false
        register: rhel_07_040420_audit

      - name: "MEDIUM | RHEL-07-040420 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH private host key files have mode 0640 or less permissive."
        ansible.builtin.file:
            dest: "{{ item.path }}"
            mode: a-stx,go-w,o-r
            state: file
        with_items:
            - "{{ rhel_07_040420_audit.files | default([]) }}"
  when:
      - rhel_07_040420
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040420
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204597r880743_rule
      - V-204597
      - ssh

- name: "MEDIUM | RHEL-07-040430 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Generic Security Service Application Program Interface (GSSAPI) authentication unless needed."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?GSSAPIAuthentication"
      line: GSSAPIAuthentication no
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040430
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040430
      - CAT2
      - CCI-000318
      - CCI-001812
      - CCI-001813
      - CCI-000368
      - CCI-001814
      - SRG-OS-000364-GPOS-00151
      - SV-204598r603261_rule
      - V-204598
      - ssh

- name: "MEDIUM | RHEL-07-040440 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not permit Kerberos authentication unless needed."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?KerberosAuthentication"
      line: KerberosAuthentication no
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040440
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040440
      - CAT2
      - CCI-0003680
      - CCI-001813
      - CCI-001812
      - CCI-001814
      - CCI-000318
      - SRG-OS-000364-GPOS-00151
      - SV-204599r603261_rule
      - V-204599
      - ssh

- name: "MEDIUM | RHEL-07-040450 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon performs strict mode checking of home directory configuration files."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?StrictModes"
      line: StrictModes yes
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040450
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040450
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204600r603261_rule
      - V-204600
      - ssh

- name: "MEDIUM | RHEL-07-040460 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon uses privilege separation."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?UsePrivilegeSeparation"
      line: UsePrivilegeSeparation sandbox
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040460
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040460
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204601r603261_rule
      - V-204601
      - ssh

- name: "MEDIUM | RHEL-07-040470 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow compression or only allows compression after successful authentication."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: "(?i)^#?Compression"
      line: Compression no
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040470
      - rhel7stig_ssh_required
      - ansible_facts['distribution_version'] <= "7.4"
  tags:
      - RHEL-07-040470
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204602r880758_rule
      - V-204602
      - ssh

- name: "MEDIUM | RHEL-07-040500 | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
  block:
      - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
        ansible.builtin.package:
            name: chrony
            state: absent
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when: "'chrony' in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
        ansible.builtin.package:
            name: ntp
            state: present
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when: "'ntp' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
        ansible.builtin.lineinfile:
            create: true
            dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}"
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            mode: 0600
        notify: restart {{ rhel7stig_time_service }}
        with_items:
            - "{{ rhel7stig_time_service_configs[rhel7stig_time_service].lines }}"
  when:
      - rhel7stig_time_service == 'ntpd'
      - rhel_07_040500
  tags:
      - RHEL-07-040500
      - CAT2
      - CCI-001891
      - CCI-002046
      - SRG-OS-000355-GPOS-00143
      - SV-204603r603261_rule
      - V-204603
      - ntp
      - ntpd

- name: "MEDIUM | RHEL-07-040500 | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
  block:
      - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
        ansible.builtin.package:
            name: ntp
            state: absent
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when: "'ntp' in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
        ansible.builtin.package:
            name: chrony
            state: present
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when: "'chrony' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
        ansible.builtin.replace:
            dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}"
            regexp: '^server \S+( \w+)?$'
        notify: restart {{ rhel7stig_time_service }}
  when:
      - rhel7stig_time_service == 'chronyd'
      - rhel_07_040500
  tags:
      - RHEL-07-040500
      - chronyd

- name: "MEDIUM | RHEL-07-040500 | PATCH | The Red Hat Enterprise Linux operating system must, for networked systems, synchronize clocks with a server that is synchronized to one of the redundant United States Naval Observatory (USNO) time servers, a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
  ansible.builtin.blockinfile:
      insertbefore: BOF
      dest: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].conf }}"
      block: "{{ rhel7stig_time_service_configs[rhel7stig_time_service].block }}"
      state: present
  notify: restart {{ rhel7stig_time_service }}
  when:
      - rhel7stig_time_service == 'chronyd'
      - rhel_07_040500
  tags:
      - RHEL-07-040500
      - CAT2
      - CCI-001891
      - CCI-002046
      - SRG-OS-000355-GPOS-00143
      - SV-204603r603261_rule
      - V-204603
      - chronyd

- name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
  block:
      - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
        ansible.builtin.package:
            name: "{{ rhel7stig_firewall_service }}"
            state: present

      - name: "MEDIUM | RHEL-07-040520 | PATCH | The Red Hat Enterprise Linux operating system must enable an application firewall, if available."
        ansible.builtin.service:
            name: "{{ rhel7stig_firewall_service }}"
            enabled: true
            state: started
  vars:
      ansible_python_interpreter: "{{ python2_bin }}"
  when:
      - rhel_07_040520
  tags:
      - RHEL-07-040520
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204604r603261_rule
      - V-204604
      - firewall

- name: "MEDIUM | RHEL-07-040610 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets."
  sysctl:
      name: net.ipv4.conf.all.accept_source_route
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040610
  tags:
      - RHEL-07-040610
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204609r880797_rule
      - V-204609
      - ipv4

- name: "MEDIUM | RHEL-07-040611 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible on all interfaces."
  sysctl:
      name: net.ipv4.conf.all.rp_filter
      value: '1'
      state: present
      reload: "{{ ol7stig_sysctl_reload }}"
  when:
      - rhel_07_040611
  tags:
      - RHEL-07-040611
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204610r880800_rule
      - V-204610
      - sysctl
      - ipv4

- name: "MEDIUM | RHEL-07-040612 | PATCH | The Red Hat Enterprise Linux operating system must use a reverse-path filter for IPv4 network traffic when possible by default."
  sysctl:
      name: net.ipv4.conf.default.rp_filter
      state: present
      value: '1'
      reload: "{{ ol7stig_sysctl_reload }}"
  when:
      - rhel_07_040612
  tags:
      - RHEL-07-040612
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204611r880803_rule
      - V-204611
      - sysctl
      - ipv4

- name: "MEDIUM | RHEL-07-040620 | PATCH | The Red Hat Enterprise Linux operating system must not forward Internet Protocol version 4 (IPv4) source-routed packets by default."
  sysctl:
      name: net.ipv4.conf.default.accept_source_route
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040620
  tags:
      - RHEL-07-040620
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204612r880806_rule
      - V-204612
      - ipv4

- name: "MEDIUM | RHEL-07-040630 | PATCH | The Red Hat Enterprise Linux operating system must not respond to Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."
  sysctl:
      name: net.ipv4.icmp_echo_ignore_broadcasts
      state: present
      value: '1'
      sysctl_set: true
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040630
  tags:
      - RHEL-07-040630
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204613r880809_rule
      - V-204613
      - ipv4

- name: "MEDIUM | RHEL-07-040640 | PATCH | The Red Hat Enterprise Linux operating system must prevent Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages from being accepted."
  sysctl:
      name: net.ipv4.conf.default.accept_redirects
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040640
  tags:
      - RHEL-07-040640
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204614r880812_rule
      - V-204614
      - ipv4

- name: "MEDIUM | RHEL-07-040641 | PATCH | The Red Hat Enterprise Linux operating system must ignore Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirect messages"
  sysctl:
      name: net.ipv4.conf.all.accept_redirects
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040641
  tags:
      - RHEL-07-040641
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204615r880815_rule
      - V-204615
      - ipv4

- name: "MEDIUM | RHEL-07-040650 | PATCH |  The Red Hat Enterprise Linux operating system must not allow interfaces to perform Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects by default."
  sysctl:
      name: net.ipv4.conf.default.send_redirects
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040650
  tags:
      - RHEL-07-040650
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204616r880818_rule
      - V-204616
      - ipv4

- name: "MEDIUM | RHEL-07-040660 | PATCH | The Red Hat Enterprise Linux operating system must not send Internet Protocol version 4 (IPv4) Internet Control Message Protocol (ICMP) redirects."
  sysctl:
      name: net.ipv4.conf.all.send_redirects
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040660
  tags:
      - RHEL-07-040660
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204617r880821_rule
      - V-204617
      - ipv4

- name: "MEDIUM | RHEL-07-040670 | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."
  block:
      - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."
        ansible.builtin.shell: "ip link | grep -i promisc | cut -d ':' -f 2"
        changed_when: rhel_07_040670_promisc_check.stdout| length > 0
        failed_when: false
        check_mode: false
        ignore_errors: true
        register: rhel_07_040670_promisc_check

      - name: "MEDIUM | RHEL-07-040670 | PATCH | Network interfaces configured on the Red Hat Enterprise Linux operating system must not be in promiscuous mode."
        ansible.builtin.shell: "ip link set dev {{ item }} promisc off"
        with_items:
            - "{{ rhel_07_040670_promisc_check.stdout_lines }}"
  when:
      - rhel_07_040670
      - not rhel7stig_net_promisc_mode_required
  tags:
      - RHEL-07-040670
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204618r603261_rule
      - V-204618

- name: "MEDIUM | RHEL-07-040680 | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."
  block:
      - name: "MEDIUM | RHEL-07-040680 | AUDIT | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."
        ansible.builtin.shell: "/usr/sbin/postconf -n smtpd_client_restrictions"
        check_mode: false
        changed_when: false
        register: rhel_07_040680_postconf_audit
        when: "'postfix' in ansible_facts.packages"

      - name: "MEDIUM | RHEL-07-040680 | PATCH | The Red Hat Enterprise Linux operating system must be configured to prevent unrestricted mail relaying."
        ansible.builtin.shell: "/usr/sbin/postconf -e 'smtpd_client_restrictions=permit_mynetworks, reject'"
        when:
            - "'postfix' in ansible_facts.packages"
            - rhel_07_040680_postconf_audit.stdout != 'smtpd_client_restrictions = permit_mynetworks, reject'
  when:
      - rhel_07_040680
  tags:
      - RHEL-07-040680
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204619r603261_rule
      - V-204619

- name: "MEDIUM | RHEL-07-040710 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen"
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?X11Forwarding"
      line: X11Forwarding no
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040710
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040710
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204622r603849_rule
      - V-204622
      - ssh

- name: "MEDIUM | RHEL-07-040712 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that remote X connections are disabled except to fulfill documented and validated mission requiremen"
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?KexAlgorithms"
      line: KexAlgorithms "{{ rhel7stig_ssh_kex }}"
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040712
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040712
      - CAT2
      - CCI-001453
      - SRG-OS-000033-GPOS-00014
      - SV-255925r880749_rule
      - V-255925
      - ssh

- name: "MEDIUM | RHEL-07-040720 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that if the Trivial File Transfer Protocol (TFTP) server is required, the TFTP daemon is configured to operate in secure mode."
  ansible.builtin.lineinfile:
      path: /etc/xinetd.d/tftp
      regexp: "(?i)^.*server_args.*="
      line: "        server_args             = -s /var/lib/tftpboot"
      insertafter: "        server_args             ="
      state: present
  failed_when:
      - result is failed
      - result.rc != 257
  register: result
  when:
      - rhel7stig_tftp_required
      - rhel_07_040720
  tags:
      - RHEL-07-040720
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204623r603261_rule
      - V-204623
      - tftp

- name: "MEDIUM | RHEL-07-040730 | PATCH | The Red Hat Enterprise Linux operating system must not have an X Windows display manager installed unless approved."
  ansible.builtin.package:
      name:
          - "@x11"
          - xorg-x11-server-common
      state: absent
  vars:
      ansible_python_interpreter: "{{ python2_bin }}"
  when:
      - not rhel7stig_gui
      - rhel_07_040730
  tags:
      - RHEL-07-040730
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204624r646847_rule
      - V-204624
      - x11

- name: "MEDIUM | RHEL-07-040740 | PATCH | The Red Hat Enterprise Linux operating system must not be performing packet forwarding unless the system is a router."
  sysctl:
      name: net.ipv4.ip_forward
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - not rhel7stig_system_is_router
      - rhel_07_040740
  tags:
      - RHEL-07-040740
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204625r880824_rule
      - V-204625
      - ipv4

- name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."
  block:
      - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."
        ansible.builtin.shell: cat /etc/fstab | grep nfs
        register: rhel_07_040750_nfssec_check
        changed_when: false
        failed_when: false
        check_mode: false

      - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."
        ansible.builtin.debug:
            msg: "There were no applicable NFS mounts found to audit per RHEL-07-040750."
        changed_when: true
        when: rhel_07_040750_nfssec_check.stdout_lines is not defined

      - name: "MEDIUM | RHEL-07-040750 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the Network File System (NFS) is configured to use RPCSEC_GSS."
        ansible.builtin.debug:
            msg: "The following NFS mount is required to be audited per RHEL-07-040750: {{ item }} - If the system is mounting file systems via NFS and has the sec option without the 'krb5:krb5i:krb5p' settings, the 'sec' option has the 'sys' setting, or the 'sec' option is missing, this is a finding."
        changed_when: true
        with_items:
            - "{{ rhel_07_040750_nfssec_check.stdout_lines }}"
        when: rhel_07_040750_nfssec_check.stdout_lines is defined
  when:
      - rhel_07_040750
  tags:
      - RHEL-07-040750
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204626r603261_rule
      - V-204626

- name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
  block:
      - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
        include_tasks: audit_firewalld.yml
        when: rhel7stig_firewall_service == "firewalld"

      - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
        include_tasks: audit_iptables.yml
        when: rhel7stig_firewall_service != "firewalld"

      - name: "MEDIUM | RHEL-07-040810 | AUDIT | The Red Hat Enterprise Linux operating system access control program must be configured to grant or deny system access to specific hosts and services."
        ansible.builtin.debug:
            msg: "Warning!! The variable rhel7stig_start_firewall_service to false, but unable to pull configuration rules for RHEL-07-040810 {{ rhel7stig_firewall_service }}"
        changed_when: true
        when: not rhel7stig_start_firewall_service
  when:
      - rhel_07_040810
      - rhel7stig_disruptive
  tags:
      - RHEL-07-040810
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204628r603261_rule
      - V-204628
      - firewall
      - disruption-high

- name: "MEDIUM | RHEL-07-040820 | PATCH | The Red Hat Enterprise Linux operating system must not have unauthorized IP tunnels configured."
  ansible.builtin.package:
      name: libreswan
      state: absent
  vars:
      ansible_python_interpreter: "{{ python2_bin }}"
  when:
      - "'libreswan' not in ansible_facts.packages"
      - rhel_07_040820
  tags:
      - RHEL-07-040820
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204629r603261_rule
      - V-204629

- name: "MEDIUM | RHEL-07-040830 | PATCH | The Red Hat Enterprise Linux operating system must not forward IPv6 source-routed packets."
  sysctl:
      name: net.ipv6.conf.all.accept_source_route
      state: present
      value: '0'
      reload: "{{ rhel7stig_sysctl_reload }}"
      ignoreerrors: true
  when:
      - rhel_07_040830
  tags:
      - RHEL-07-040830
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204630r880827_rule
      - V-204630
      - ipv6

- name: "MEDIUM | RHEL-07-041001 | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."
  block:
      - name: "MEDIUM | RHEL-07-041001 | PATCH | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."
        ansible.builtin.package:
            name:
                - esc
                - authconfig-gtk
            state: present
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when:
            - rhel7stig_gui

      - name: "MEDIUM | RHEL-07-041001 | PATCH | The Red Hat Enterprise Linux operating system must have the required packages for multifactor authentication installed."
        ansible.builtin.package:
            name: pam_pkcs11
            state: present
        vars:
            ansible_python_interpreter: "{{ python2_bin }}"
        when: "'pam_pkcs11' not in ansible_facts.packages"
  when:
      - rhel_07_041001
  tags:
      - RHEL-07-041001
      - CAT2
      - CCI-001953
      - CCI-001954
      - CCI-001948
      - SRG-OS-000375-GPOS-00160
      - SV-204631r603261_rule
      - V-204631
      - multifactor

- name: "MEDIUM | RHEL-07-041002 | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."
  block:
      - name: "MEDIUM | RHEL-07-041002 | AUDIT | Check if pam service is configured in sssd file"
        ansible.builtin.shell: 'grep -E "^\s*services\s*=.*pam" /etc/sssd/sssd.conf'
        check_mode: false
        changed_when:
            - sssd_services_check.rc == 1
            - not rhel7stig_skip_for_travis
        failed_when: false
        # todo: only run if sssd installed and config file present
        # failed_when: sssd_services_check.rc > 1
        register: sssd_services_check

      - name: "MEDIUM | RHEL-07-041002 | PATCH | The Red Hat Enterprise Linux operating system must implement multifactor authentication for access to privileged accounts via pluggable authentication modules (PAM)."
        ansible.builtin.debug:
            msg: "Warning!! SSSD is in use and /etc/sssd/sssd.conf is not configured to use the PAM service (services = nss, pam)"
        changed_when: rhel7stig_audit_complex
        when: sssd_services_check.rc == 1
  when:
      - rhel7stig_auth_settings.use_sssd
      - rhel7stig_complex
      - rhel_07_041002
  tags:
      - RHEL-07-041002
      - CAT2
      - CCI-001948
      - CCI-001954
      - CCI-001953
      - SRG-OS-000375-GPOS-00160
      - SV-204632r603261_rule
      - V-204632
      - complexity-high
      - sssd

- name: "MEDIUM | RHEL-07-041003 | The Red Hat Enterprise Linux operating system must implement certificate status checking for PKI authentication."
  ansible.builtin.replace:
      path: /etc/pam_pkcs11/pam_pkcs11.conf
      regexp: (?im)^([ \t]*cert_policy[ \t]*=(?:[^ \t\n]|[ \t](?!ocsp_on,))*?)(?:[ \t]ocsp_on,[ \t]*)?[ \t]*((?:[^,\n]|,(?![ \t]*ocsp_on,))*?)(?:,[ \t]*ocsp_on)?;$
      replace: '\1 ocsp_on, \2;'
  when:
      - rhel_07_041003
  tags:
      - RHEL-07-041003
      - CAT2
      - CCI-001954
      - CCI-001953
      - CCI-001948
      - SRG-OS-000375-GPOS-00160
      - SV-204633r603261_rule
      - V-204633
      - certificates

- name: "MEDIUM | RHEL-07-041010 | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."
  block:
      - name: "MEDIUM | RHEL-07-041010 | AUDIT | check if wifi is enabled"
        ansible.builtin.shell: nmcli radio wifi
        changed_when: false
        check_mode: false
        register: rhel_07_wifi_enabled

      - name: "MEDIUM | RHEL-07-041010 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all wireless network adapters are disabled."
        ansible.builtin.shell: nmcli radio wifi off
        when:
            - "'enabled' in rhel_07_wifi_enabled.stdout"
  when:
      - rhel_07_041010
      - "'NetworkManager' in ansible_facts.packages"
  tags:
      - RHEL-07-041010
      - CAT2
      - CCI-001443
      - CCI-001444
      - CCI-002418
      - SRG-OS-000424-GPOS-00188
      - SV-204634r603261_rule
      - V-204634
      - wifi
      - networking

- name: "MEDIUM | RHEL-07-020019 | AUDIT | The Red Hat Enterprise Linux operating system must have a host-based intrusion detection tool installed."
  ansible.builtin.debug:
      msg:
          - "Please install and enable the latest McAfee HIPS package, available from USCYBERCOM."
          - "If the system does not support the McAfee HIPS package, install and enable a supported intrusion detection system application and document its use with the Authorizing Official."
  when:
      - rhel_07_020019
  tags:
      - audit
      - RHEL-07-020019
      - CAT2
      - CCI-001263
      - SRG-OS-000480-GPOS-00227
      - SV-214800r603261_rule
      - V-214800
      - antivirus

- name: "MEDIUM | RHEL-07-020111 | PATCH | The Red Hat Enterprise Linux operating system must disable the graphical user interface automounter unless required."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-No-Automount
      content: |
        [org/gnome/desktop/media-handling]
        automount=false
        automount-open=false
        automount-never=true
      mode: '0644'
  notify: dconf update
  when:
      - rhel7stig_dconf_available
      - rhel_07_020111
  tags:
      - RHEL-07-020111
      - CAT2
      - CCI-001958
      - CCI-000778
      - CCI-000366
      - SRG-OS-000114-GPOS-00059
      - SV-219059r603261_rule
      - V-219059
      - dconf

- name: "MEDIUM | RHEL-07-021031 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user."
  block:
      - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Get world-writable files"
        ansible.builtin.shell: "find {{ item.mount }} -xdev -type d -perm -0002 -uid +999 -print"
        changed_when: false
        failed_when: false
        register: rhel_07_021031_world_writable_files
        with_items:
            - "{{ ansible_facts.mounts }}"

      - name: "MEDIUM | RHEL-07-021031 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Flatten results"
        ansible.builtin.set_fact:
            rhel_07_021031_world_writable_files_flat: "{{ rhel_07_021031_world_writable_files.results | map(attribute='stdout_lines') | flatten }}"

      - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | List world-writable files"
        ansible.builtin.debug:
            msg:
                - "Below are the world-writable files"
                - "{{ rhel_07_021031_world_writable_files_flat }}"
        when:
            - rhel_07_021031_world_writable_files_flat != []

      - name: "MEDIUM | RHEL-07-021031 | AUDIT | The Red Hat Enterprise Linux operating system must be configured so that all world-writable directories are owned by root, sys, bin, or an application user. | Adjust world-writable files"
        ansible.builtin.file:
            path: "{{ item }}"
            owner: root
        with_items:
            - "{{ rhel_07_021031_world_writable_files_flat }}"
        when:
            - rhel7stig_world_write_files_owner_root
            - rhel_07_021031_world_writable_files_flat != []
  when:
      - rhel_07_021031
  tags:
      - RHEL-07-021031
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-228563r606406_rule
      - V-228563
      - fileperms
      - permissions

- name: "MEDIUM | RHEL-07-910055 | PATCH | The Red Hat Enterprise Linux operating system must protect audit information from unauthorized read, modification, or deletion"
  block:
      - name: "MEDIUM | RHEL-07-910055 | AUDIT | The Red Hat EnterpriseLinux operating system must protect audit information from unauthorized read, modification, or deletion | Get log files"
        ansible.builtin.find:
            paths: /var/log/audit
        register: rhel_07_910055_audit_log_files

      - name: "MEDIUM | RHEL-07-910055 | PATCH | The Red Hat EnterpriseLinux operating system must protect audit information from unauthorized read, modification, or deletion | Apply permissions"
        ansible.builtin.file:
            path: "{{ item.path }}"
            owner: root
            group: root
            mode: 0600
        with_items:
            - "{{ rhel_07_910055_audit_log_files.files }}"
        when: item.mode is not search '(0[4,6]00)'
  when:
      - rhel_07_910055
  tags:
      - RHEL-07-910055
      - CAT2
      - CCI-001314
      - CCI-000162
      - CCI-000163
      - CCI-000164
      - SRG-OS-000057-GPOS-00027
      - SV-228564r606407_rule
      - V-228564
      - logs

- name: "MEDIUM | RHEL-07-040711 | PATCH | The Red Hat Enterprise Linux operating system must prevent remote hosts from connecting to the proxy display."
  ansible.builtin.lineinfile:
      create: true
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?X11UseLocalhost"
      line: X11UseLocalhost yes
      validate: /usr/sbin/sshd -t -f %s
      mode: 0600
  notify: restart sshd
  when:
      - rhel_07_040711
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040711
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-233307r603301_rule
      - V-233307
      - ssh

- name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel."
  block:
      - name: "MEDIUM | RHEL-07-010341 | AUDIT | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Get ALL settings"
        ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
        changed_when: false
        failed_when: false
        register: rhel_07_010341_sudoers_all

      - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Remove format 1"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'ALL ALL=(ALL) ALL'
            state: absent
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_07_010341_sudoers_all.stdout_lines }}"
        when: rhel_07_010341_sudoers_all.stdout | length > 0

      - name: "MEDIUM | RHEL-07-010341 | PATCH | The Red Hat Enterprise Linux operating system must restrict privilege elevation to authorized personnel. | Remove format 2"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'ALL\s+ALL=(ALL:ALL)\s+ALL'
            state: absent
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_07_010341_sudoers_all.stdout_lines }}"
        when: rhel_07_010341_sudoers_all.stdout | length > 0
  when:
      - rhel_07_010341
      - rhel7stig_disruption_high
  tags:
      - RHEL-07-010341
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-237633r646850_rule
      - V-237633
      - sudo

- name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo."
  block:
      - name: "MEDIUM | RHEL-07-010342 | AUDIT | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation"
        ansible.builtin.shell: grep -Eirs '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d":" -f1 | sort --uniq
        changed_when: false
        failed_when: false
        register: rhel_07_010342_priv_escalation

      - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings"
        ansible.builtin.lineinfile:
            path: /etc/sudoers
            line: "{{ item }}"
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - Defaults !targetpw
            - Defaults !rootpw
            - Defaults !runaspw
        when: rhel_07_010342_priv_escalation.stdout | length == 0

      - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults !targetpw'
            line: 'Defaults !targetpw'
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_07_010342_priv_escalation.stdout_lines }}"
        when:
            - rhel_07_010342_priv_escalation.stdout | length > 0

      - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults !rootpw'
            line: 'Defaults !rootpw'
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_07_010342_priv_escalation.stdout_lines }}"
        when:
            - rhel_07_010342_priv_escalation.stdout | length > 0

      - name: "MEDIUM | RHEL-07-010342 | PATCH | The Red Hat Enterprise Linux operating system must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults !runaspw'
            line: 'Defaults !runaspw'
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_07_010342_priv_escalation.stdout_lines }}"
        when:
            - rhel_07_010342_priv_escalation.stdout | length > 0
  when:
      - rhel_07_010342
      - rhel7stig_disruption_high
  tags:
      - RHEL-07-010342
      - CAT2
      - CCI-002227
      - SRG-OS-000480-GPOS-00227
      - SV-237634r880755_rule
      - V-237634
      - sudo

- name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command."
  block:
      - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Get files with timeout set"
        ansible.builtin.shell: grep -irs 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
        changed_when: false
        failed_when: false
        register: rhel_07_010343_timeout_files

      - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Set value if no results"
        ansible.builtin.lineinfile:
            path: /etc/sudoers
            regexp: 'Defaults timestamp_timeout='
            line: "Defaults timestamp_timeout={{ rhel7stig_sudo_timestamp_timeout }}"
            validate: '/usr/sbin/visudo -cf %s'
        when: rhel_07_010343_timeout_files.stdout | length == 0

      - name: "MEDIUM | RHEL-07-010343 | PATCH | The Red Hat Enterprise Linux operating system must require re-authentication when using the sudo command. | Set value if has results"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults timestamp_timeout='
            line: "Defaults timestamp_timeout={{ rhel7stig_sudo_timestamp_timeout }}"
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_07_010343_timeout_files.stdout_lines }}"
        when: rhel_07_010343_timeout_files.stdout | length > 0
  when:
      - rhel_07_010343
      - rhel7stig_disruption_high
  tags:
      - RHEL-07-010343
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-237635r833179_rule
      - V-237635
      - sudo

- name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege."
  block:
      - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Get SELinux Role mappings"
        ansible.builtin.shell: semanage user -l
        changed_when: false
        failed_when: false
        register: rhel_07_020021_sel_role_mappings

      - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Show SELinux Role mappings"
        ansible.builtin.debug:
            msg: "Warning!! Below are your SELinux Role mappings. Please review the mappings with your SA to determine validity of the mappings"
        when: rhel_07_020021_sel_role_mappings.stdout | length > 0

      - name: "MEDIUM | RHEL-07-020021 | AUDIT | The Red Hat Enterprise Linux operating system must confine SELinux users to roles that conform to least privilege. | Warning!! that semanage is not installed"
        ansible.builtin.debug:
            msg: "Warning!! You do not have semanage installed! Please installed the needed packages"
        when: "'command not found' in rhel_07_020021_sel_role_mappings.stderr"
  when:
      - rhel_07_020021
  tags:
      - RHEL-07-020021
      - CAT2
      - CCI-002165
      - CCI-002235
      - SRG-OS-000324-GPOS-00125
      - SV-250312r792843_rule
      - V-250312

- name: "MEDIUM | RHEL-07-020022 | PATCH | The Red Hat Enterprise Linux operating system must not allow privileged accounts to utilize SSH."
  seboolean:
      name: ssh_sysadm_login
      persistent: true
      state: "{{ rhel7stig_ssh_sysadm_login_state }}"
  when:
      - rhel_07_020022
  tags:
      - RHEL-07-020022
      - CAT2
      - CCI-002165
      - CI-002235
      - SRG-OS-000324-GPOS-00125
      - SV-250313r792846_rule
      - V-250313

- name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command"
  block:
      - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command | Get sysadm_r sudoers status"
        ansible.builtin.shell: grep -rs sysadm_r /etc/sudoers /etc/sudoers.d/*
        changed_when: false
        failed_when: false
        register: rhel_07_020023_sel_admin_sudo_status

      - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command"
        ansible.builtin.debug:
            msg:
                - "Warning!! Below is your sysadm_r settings in your sudoers file."
                - "Please review to confirm a designated sudoers admin group or account(s) is not configured to eleveate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Display if entry exists"
                - "{{ rhel_07_020023_sel_admin_sudo_status.stdout_lines }}"
        when: rhel_07_020023_sel_admin_sudo_status.stdout | length > 0

      - name: "MEDIUM | RHEL-07-020023 | AUDIT | The Red Hat Enterprise Linux operating system must elevate the SELinux context when an administrator calls the sudo command"
        ansible.builtin.debug:
            msg:
                - "Warning!! You do not have sysadm_r configured in your sudoers file(s_"
                - "Please configure to designate sudoers administrator group or account(s) is not configured to elevate the SELinux type and role to sysadm_t and sysadm_r with the use of the sudo command | Warning!! that on entry exists"
        when: rhel_07_020023_sel_admin_sudo_status.stdout | length == 0
  when:
      - rhel_07_020023
  tags:
      - RHEL-07-020023
      - CAT2
      - CCI-002165
      - CCI-002235
      - SRG-OS-000324-GPOS-00125
      - SV-250314r861076_rule
      - V-250314