fix-cat2.yml

---
# TODO: ansible-lint: schema
- name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool."
  block:
      - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert no McAfee"
        ansible.builtin.debug:
            msg:
                - "WARNING!! You have no McAfee installed. To comply with STIG ID RHEL-08-010001 you need an AV tool"
                - "McAfee is the suggested by STIG"
        when:
            - "'mcafeetp' not in ansible_facts.packages or
               'mfetpd' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-010001 | PATCH | The RHEL 8 operating system must implement the Endpoint Security for Linux Threat Prevention tool. | Alert on McAfee present"
        ansible.builtin.debug:
            msg: "Congratulations! You have McAfee installed"
        when:
            - "'mcafeetp' in ansible_facts.packages or
               'mfetpd' in ansible_facts.packages"
  when:
      - rhel_08_040286
      - rhel8stig_av_sftw == 'mcafee'
  tags:
      - RHEL-08-010001
      - CAT2
      - CCI-001233
      - SRG-OS-000191-GPOS-00080
      - SV-245540r942951_rule
      - V-245540

- name: "MEDIUM | RHEL-08-010010 | PATCH | RHEL 8 vendor packaged system security patches and updates must be installed and up to date."
  ansible.builtin.package:
      name: "*"
      state: latest
  when:
      - not system_is_ec2
      - rhel_08_010010
  tags:
      - RHEL-08-010010
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230222r627750_rule
      - V-230222

- name: "MEDIUM | RHEL-08-010019 | PATCH | RHEL 8 must ensure cryptographic verification of vendor software packages."
  block:
      - name: "MEDIUM | RHEL-08-010019 | PATCH | RHEL 8 must ensure cryptographic verification of vendor software packages. | package installed"
        ansible.builtin.package:
            name: "{{ gpg_package }}"
            state: present
        when: "gpg_package not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-010019 | AUDIT | RHEL 8 must ensure cryptographic verification of vendor software packages. | Confirm keys"
        ansible.builtin.shell: "gpg -q --keyid-format short --with-fingerprint {{ rpm_gpg_key }} | grep -B1 '{{ item.name }}' | grep '{{ item.fingerprint }}'"
        changed_when: false
        failed_when: rhel_08_010019_gpg_info.rc not in [ 0, 1]
        register: rhel_08_010019_gpg_info
        loop: "{{ gpg_keys }}"
        loop_control:
            label: item.name

      - name: "MEDIUM | RHEL-08-010019 | AUDIT | RHEL 8 must ensure cryptographic verification of vendor software packages. | warn"
        ansible.builtin.debug:
            msg:
                - "WARNING!! Please investigate the vendor gpgkeys match expected values"
        loop: "{{ rhel_08_010019_gpg_info.results }}"
        when: item.rc != 0
  when:
      - not system_is_ec2
      - rhel_08_010019
  tags:
      - RHEL-08-010019
      - CAT2
      - CCI-001749
      - SRG-OS-000366-GPOS-00153
      - SV-256973r902752_rule
      - V-256973

- name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection."
  block:
      - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Get partition layout"
        ansible.builtin.shell: lsblk
        changed_when: false
        failed_when: false
        register: rhel_08_010030_partition_layout

      - name: "MEDIUM | RHEL-08-010030 | AUDIT | All RHEL 8 local disk partitions must implement cryptographic mechanisms to prevent unauthorized disclosure or modification of all information that requires at rest protection. | Message out warning"
        ansible.builtin.debug:
            msg:
                - 'WARNING!! Below is the partition layout. Please run the "sudo more /etc/crypttab" command to confirm every persistent disk partition has an entry.'
                - "If partitions other than pseudo file systems (such as /var or /sys) this is a finding"
                - "{{ rhel_08_010030_partition_layout.stdout_lines }}"
  when:
      - rhel_08_010030
  tags:
      - RHEL-08-010030
      - CAT2
      - CCI-001199
      - SRG-OS-000185-GPOS-00079
      - SV-230224r917864_rule
      - V-230224

- name: |
        "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon."
        "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon"
  block:
      - name: |
              "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Uncomment banner keyword and set banner path""
              "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Uncomment banner keyword and set banner path""
        ansible.builtin.lineinfile:
            path: /etc/ssh/sshd_config
            regexp: '(?i)^#?Banner'
            line: 'Banner /etc/issue'
            validate: '/usr/sbin/sshd -T -f %s'
        when:
            - rhel8stig_ssh_required

      - name: |
              "MEDIUM | RHEL-08-010040 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a ssh logon. | Set banner message""
              "MEDIUM | RHEL-08-010060 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a command line user logon. | Set banner message""
        ansible.builtin.copy:  # noqa: template-instead-of-copy
            dest: "{{ item }}"
            content: "{{ rhel8stig_logon_banner }}"
            owner: root
            group: root
            mode: 'u-x,go-wx'
        notify: restart sshd
        with_items:
            - /etc/issue
            - /etc/issue.net
        when:
            # - not system_is_ec2
            - rhel_08_010040 or
              rhel_08_010060
        tags:
            - CAT2
            - RHEL-08-010040
            - RHEL-08-010060
            - CCI-000048
            - SRG-OS-000023-GPOS-00006
            - SV-230225r951590_rule
            - SV-230227r627750_rule
            - V-230225
            - V-230227

- name: "MEDIUM | RHEL-08-010049 | PATCH | RHEL 8 must display a banner before granting local or remote access to the system via a graphical user logon"
  ansible.builtin.lineinfile:
      path: /etc/dconf/db/local.d/01-banner-message
      regexp: 'banner-message-enabled='
      line: banner-message-enable=true
      create: true
      mode: 'u-x,go-wx'
      owner: root
      group: root
      insertafter: '[org/gnome/login-screen]'
  notify: dconf update
  when:
      - rhel_08_010049
  tags:
      - RHEL-08-010049
      - CAT2
      - CCI-000048
      - SRG-OS-000023-GPOS-00006
      - SV-244519r743806_rule
      - V-244519
      - banner

- name: "MEDIUM | RHEL-08-010050 | PATCH | RHEL 8 must display the Standard Mandatory DoD Notice and Consent Banner before granting local or remote access to the system via a graphical user logon."
  ansible.builtin.copy:  # noqa: template-instead-of-copy
      dest: /etc/dconf/db/local.d/01-banner-message
      content: |
          [org/gnome/login-screen]
          banner-message-text='{{ rhel8stig_logon_banner | replace(newline, "\n") }}'
          banner-message-enable=true
      mode: 'u-x,go-wx'
      owner: root
      group: root
  vars:
      newline: "\n"
  notify: dconf update
  when:
      - rhel_08_010050
      - "'dconf' in ansible_facts.packages"
      - rhel8stig_always_configure_dconf
  tags:
      - RHEL-08-010050
      - CAT2
      - CCI-000048
      - SRG-OS-000023-GPOS-00006
      - SV-230226r743916_rule
      - V-230226

- name: "MEDIUM | RHEL-08-010070 | PATCH | All RHEL 8 remote access methods must be monitored."
  ansible.builtin.lineinfile:
      path: /etc/rsyslog.conf
      regexp: ^(?!#).*\/var\/log\/secure
      line: 'auth.*;authpriv.*;daemon.* /var/log/secure'
      create: true
      mode: 'u-x,go-wx'
  notify: restart rsyslog
  when:
      - rhel_08_010070
  tags:
      - RHEL-08-010070
      - CAT2
      - CCI-000067
      - SRG-OS-000032-GPOS-00013
      - SV-230228r951592_rule
      - V-230228
      - rsyslog

# This task wants you to download the latest DoD root certs and place the chain pem in /etc/sssd/pki/sssd_auth_ca_db.pem. This might need to be a message out, but I will circle back to this and confirm.
- name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor."
  block:
      - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Get current certs"
        ansible.builtin.shell: openssl x509 -text -in /etc/sssd/pki/sssd_auth_ca_db.pem
        changed_when: false
        failed_when: false
        register: rhel_08_010090_certs_list

      - name: "MEDIUM | RHEL-08-010090 | PATCH | RHEL 8, for PKI-based authentication, must validate certificates by constructing a certification path (which includes status information) to an accepted trust anchor. | Message out certs"
        ansible.builtin.debug:
            msg:
                - "WARNING!! The certs below are the ones applied to this system. Please review and confirm they are the latest issued from the DoD"
                - "If they are not please apply the latest PKI CA certificate bundle from cyber.mil and copy the DoD_PKE_CA_chain.pem into /etc/sssd/pki/sssd_auth_ca_db.pem"
                - "{{ rhel_08_010090_certs_list.stdout_lines | default('None-found') }}"
  when:
      - rhel_08_010090
  tags:
      - RHEL-08-010090
      - CAT2
      - CCI-000185
      - SRG-OS-000066-GPOS-00034
      - SV-230229r858739_rule
      - V-230229
      - certificates

- name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key."
  block:
      - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create .ssh folder"
        ansible.builtin.file:
            path: "{{ rhel8stig_path_to_sshkey }}"
            state: directory
            mode: 'u+x,go-rwx'

      - name: "MEDIUM | RHEL-08-010100 | PATCH | RHEL 8, for certificate-based authentication, must enforce authorized access to the corresponding private key. | Create key pair"
        community.crypto.openssh_keypair:
            path: "{{ rhel8stig_path_to_sshkey }}/id_rsa"
  when:
      - rhel_08_010100
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010100
      - CAT2
      - CCI-000186
      - SRG-OS-000067-GPOS-00035
      - SV-230230r627750_rule
      - V-230230

- name: "MEDIUM | RHEL-08-010110 | PATCH | RHEL 8 must encrypt all stored passwords with a FIPS 140-2 approved cryptographic hashing algorithm."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: '^ENCRYPT_METHOD.*'
      line: "ENCRYPT_METHOD {{ rhel8stig_login_defaults.encrypt_method | default('SHA512') }}"
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_010110
  tags:
      - RHEL-08-010110
      - CAT2
      - CCI-000196
      - SRG-OS-000073-GPOS-00041
      - SV-230231r627750_rule
      - V-230231
      - login

- name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords."
  block:
      - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Get user accounts not using FIPS 140-2 hashing"
        ansible.builtin.shell: 'cat /etc/shadow | grep -v "*" | grep -v "!" | grep -v ":$6$" | cut -f1 -d:'
        changed_when: false
        failed_when: false
        register: rhel_08_010120_non_fips_hashed_accounts

      - name: "MEDIUM | RHEL-08-010120 | PATCH | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Lock user not using FIPS 140-2 hashing"
        ansible.builtin.shell: "passwd -l {{ item }}"
        with_items:
            - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}"
        when:
            - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0

      - name: "MEDIUM | RHEL-08-010120 | AUDIT | RHEL 8 must employ FIPS 140-2 approved cryptographic hashing algorithms for all stored passwords. | Message out user accounts"
        ansible.builtin.debug:
            msg:
                - "WARNING!! The following accounts do not have FIPS 140-2 hashing. Please review the accounts and correct to conform to control 010120 of the RHEL8 STIG"
                - "{{ rhel_08_010120_non_fips_hashed_accounts.stdout_lines }}"
        when:
            - not rhel8stig_disruption_high
            - rhel_08_010120_non_fips_hashed_accounts.stdout | length > 0
  when:
      - rhel_08_010120
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-010120
      - CAT2
      - CCI-000196
      - SRG-OS-000073-GPOS-00041
      - SV-230232r627750_rule
      - V-230232
      - disruption_high

- name: "MEDIUM | RHEL-08-010130 | PATCH | The RHEL 8 shadow password suite must be configured to use a sufficient number of hashing rounds."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^.*SHA_CRYPT_MIN_ROUNDS\s
      line: SHA_CRYPT_MIN_ROUNDS {{ rhel8stig_hashing_rounds }}
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_010130
  tags:
      - RHEL-08-010130
      - CAT2
      - CCI-000196
      - SRG-OS-000073-GPOS-00041
      - SV-230233r880705_rule
      - V-230233
      - pamd

- name: |
    "MEDIUM | RHEL-08-010141 | PATCH | RHEL 8 operating systems booted with United Extensible Firmware Interface (UEFI) must require a unique superusers name upon booting into single-user mode and maintenance."
    "MEDIUM | RHEL-08-010149 | PATCH | RHEL 8 operating systems booted with a BIOS must require a unique superusers name upon booting into single-user and maintenance modes."
  ansible.builtin.template:
      src: 01_users.j2
      dest: /etc/grub.d/01_users
      owner: root
      group: root
      mode: 'u+x,go-w'
  notify: confirm grub2 user cfg
  when:
      - rhel_08_010141 or
        rhel_08_010149
  tags:
      - RHEL-08-010141
      - RHEL-08-010149
      - CAT2
      - CCI-000213
      - SRG-OS-000080-GPOS-00048
      - SV-244521r792982_rule
      - SV-244522r792984_rule
      - V-244521
      - V-244522
      - grub

- name: "MEDIUM | RHEL-08-010151 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency or rescue modes."
  ansible.builtin.lineinfile:
      path: /usr/lib/systemd/system/rescue.service
      regexp: '^ExecStart='
      line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue"
      create: true
      owner: root
      group: root
      mode: 'u-x,go-wx'
  when:
      - rhel_08_010151
  tags:
      - RHEL-08-010151
      - CAT2
      - CCI-000213
      - SRG-OS-000080-GPOS-00048
      - SV-230236r743928_rule
      - V-230236
      - systemd

- name: "MEDIUM | RHEL-08-010152 | PATCH | RHEL 8 operating systems must require authentication upon booting into emergency mode."
  ansible.builtin.lineinfile:
      path: /usr/lib/systemd/system/emergency.service
      regexp: '^ExecStart='
      line: "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency"
      create: true
      owner: root
      group: root
      mode: 'u-x,go-wx'
  when:
      - rhel_08_010152
  tags:
      - RHEL-08-010152
      - CAT2
      - CCI-000213
      - SRG-OS-000080-GPOS-00048
      - SV-244523r743818_rule
      - V-244523
      - systemd

- name: "MEDIUM | RHEL-08-010159 | PATCH | The RHEL 8 pam_unix.so module must be configured in the system-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication."
  community.general.pamd:
      name: system-auth
      type: password
      control: sufficient
      module_path: pam_unix.so
      module_arguments: sha512
      state: args_present
  when:
      - rhel_08_010159
  tags:
      - RHEL-08-010159
      - CAT2
      - CCI-000803
      - SRG-OS-000120-GPOS-00061
      - SV-244524r809331_rule
      - V-244524
      - pamd

- name: "MEDIUM | RHEL-08-010160 | PATCH | The RHEL 8 pam_unix.so module must be configured in the password-auth file to use a FIPS 140-2 approved cryptographic hashing algorithm for system authentication."
  community.general.pamd:
      name: password-auth
      type: password
      control: sufficient
      module_path: pam_unix.so
      module_arguments: sha512
      state: args_present
  when:
      - rhel_08_010160
  tags:
      - RHEL-08-010160
      - CAT2
      - CCI-000803
      - SRG-OS-000120-GPOS-00061
      - SV-230237r809276_rule
      - V-230237
      - pamd

- name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication."
  block:
      - name: "MEDIUM | RHEL-08-010161 | AUDIT | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Find .keytab files"
        ansible.builtin.shell: find / -name *.keytab
        changed_when: false
        failed_when: rhel8stig_010161_keytab_files.rc not in [ 0, 1 ]
        register: rhel8stig_010161_keytab_files

      - name: "MEDIUM | RHEL-08-010161 | PATCH | RHEL 8 must prevent system daemons from using Kerberos for authentication. | Remove .keytab files"
        ansible.builtin.file:
            path: "{{ item }}"
            state: absent
        with_items:
            - "{{ rhel8stig_010161_keytab_files.stdout_lines }}"
        when: rhel8stig_010161_keytab_files.stdout | length > 0
  when:
      - rhel_08_010161
  tags:
      - RHEL-08-010161
      - CAT2
      - CCI-000803
      - SRG-OS-000120-GPOS-00061
      - SV-230238r646862_rule
      - V-230238
      - kerberos

- name: "MEDIUM | RHEL-08-010162 | PATCH | The krb5-workstation package must not be installed on RHEL 8."
  ansible.builtin.package:
      name: krb5-workstation
      state: absent
  when:
      - rhel_08_010162
  tags:
      - RHEL-08-010162
      - CAT2
      - CCI-000803
      - SRG-OS-000120-GPOS-00061
      - SV-230239r646864_rule
      - V-230239
      - kerberos

- name: "|
        MEDIUM | RHEL-08-010170 | PATCH | RHEL8 must use a Linux Security Module configured to enforce limits on system services.
        MEDIUM | RHEL-08-010450 | PATCH | RHEL 8 must enable the SELinux targeted policy."
  ansible.posix.selinux:
      state: enforcing
      policy: targeted
  check_mode: "{{ ansible_check_mode or rhel8stig_system_is_chroot }}"
  notify: change_requires_reboot
  when:
      - rhel_08_010170 or rhel_08_010450
      - rhel8stig_disruption_high
  tags:
      - CAT2
      - RHEL-08-010170
      - RHEL-08-010450
      - CCI-001084
      - CCI-002696
      - SRG-OS-000134-GPOS-00068
      - SRG-OS-000445-GPOS-00199
      - SV-230240r627750_rule
      - SV-230282r627750_rule
      - V-230240
      - V-230282
      - selinux
      - disruption_high

- name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources."
  block:
      - name: "MEDIUM | RHEL-08-010190 | AUDIT | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Find world-writable directories"
        ansible.builtin.shell: "find / -xdev -type d \\( -perm -0002 -a ! -perm -1000 \\) -print 2>/dev/null | sed 's/.* //'"
        changed_when: false
        failed_when: false
        register: rhel_08_010190_world_writable_files

      - name: "MEDIUM | RHEL-08-010190 | PATCH | A sticky bit must be set on all RHEL 8 public directories to prevent unauthorized and unintended information transferred via shared system resources. | Set sticky bit to world-writable files"
        ansible.builtin.file:
            path: "{{ item }}"
            mode: '+t'
        with_items:
            - "{{ rhel_08_010190_world_writable_files.stdout_lines }}"
  when:
      - rhel_08_010190
  tags:
      - RHEL-08-010190
      - CAT2
      - CCI-001090
      - SRG-OS-000138-GPOS-00069
      - SV-230243r792857_rule
      - V-230243
      - permissions

- name: "MEDIUM | RHEL-08-010200 | PATCH | RHEL 8 must be configured so that all network connections associated with SSH traffic are terminated at the end of the session or after 10 minutes of inactivity, except to fulfill documented and validated mission requirements."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?ClientAliveCountMax.*'
      line: ClientAliveCountMax 1
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010200
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010200
      - CAT2
      - CCI-001133
      - SRG-OS-000163-GPOS-00072
      - SV-230244r951594_rule
      - V-230244
      - ssh

- name: "MEDIUM | RHEL-08-010201 | PATCH | The RHEL 8 SSH daemon must be configured with a timeout interval"
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?ClientAliveInterval.*'
      line: "ClientAliveInterval {{ rhel8stig_ssh_session_timeout }}"
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010201
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010201
      - CAT2
      - CCI-001133
      - SRG-OS-000163-GPOS-00072
      - SV-244525r951596_rule
      - V-244525
      - ssh

- name: |
        "MEDIUM | RHEL-08-010210 | PATCH | The RHEL 8 /var/log/messages file must have mode 0640 or less permissive."
        "MEDIUM | RHEL-08-010220 | PATCH | The RHEL 8 /var/log/messages file must be owned by root."
        "MEDIUM | RHEL-08-010230 | PATCH | The RHEL 8 /var/log/messages file must be group-owned by root."
  ansible.builtin.file:
      path: /var/log/messages
      owner: root
      group: root
      mode: "{{ rhel8stig_var_log_messages_perm }}"
  when:
      - rhel_08_010210 or
        rhel_08_010220 or
        rhel_08_010230
  tags:
      - CAT2
      - RHEL-08-010210
      - RHEL-08-010220
      - RHEL-08-010230
      - CCI-001314
      - SRG-OS-000206-GPOS-00084
      - SV-230245r627750_rule
      - SV-230246r627750_rule
      - SV-230247r627750_rule
      - V-230245
      - V-230246
      - V-230247
      - permissions

- name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file."
  block:
      - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set preauth"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth\s+required\s+pam_env.so'
        notify: restart sssd

      - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set authfail"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd

      - name: "MEDIUM | RHEL-08-020025 | PATCH | 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file. | Set account faillock"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertbefore: '^account'
        notify: restart sssd
  when:
      - rhel_08_020025
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020025
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-244533r743848_rule
      - V-244533
      - pamd

- name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file."
  block:
      - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set preauth"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/password-auth
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth\s+required\s+pam_env.so'
        notify: restart sssd

      - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set authfail"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/password-auth
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd

      - name: "MEDIUM | RHEL-08-020026 | PATCH | RHEL 8 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file. | Set account faillock"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/password-auth
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertbefore: '^account'
        notify: restart sssd
  when:
      - rhel_08_020026
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020026
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-244534r743851_rule
      - V-244534
      - pamd

- name: "MEDIUM | RHEL-08-020031 | PATCH | RHEL 8 must initiate a session lock for graphical user interfaces when the screensaver is activated."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/00-screensaver_rhel_08_020031
      content: |
          [org/gnome/desktop/screensaver]
          lock-delay=uint32 5
      mode: 'u-x,go-wx'
  notify: dconf update
  when:
      - rhel_08_020031
      - rhel8stig_always_configure_dconf
      - rhel8stig_gui
  tags:
      - RHEL-08-020031
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-244535r743854_rule
      - V-244535
      - dconf

- name: "MEDIUM | RHEL-08-020032 | PATCH | RHEL 8 must disable the user list at logon for graphical user interfaces."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/02-login-screen_rhel_08_020032
      content: |
          [org/gnome/login-screen]
          disable-user-list=true
      mode: 'u-x,go-wx'
  when:
      - rhel_08_020032
      - rhel8stig_always_configure_dconf
      - rhel8stig_gui
  tags:
      - RHEL-08-020032
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244536r743857_rule
      - V-244536
      - dconf

- name: "MEDIUM | RHEL-08-020039 | PATCH | RHEL 8 must have the tmux package installed."
  ansible.builtin.package:
      name: tmux
      state: present
  when:
      - rhel_08_020039
      - "'tmux' not in ansible_facts.packages"
  tags:
      - RHEL-08-020039
      - CAT2
      - CCI-000056
      - SRG-OS-000028-GPOS-00009
      - SV-244537r743860_rule
      - V-244537
      - tmux

- name: |
        "MEDIUM | RHEL-08-010240 | PATCH | The RHEL 8 /var/log directory must have mode 0755 or less permissive."
        "MEDIUM | RHEL-08-010250 | PATCH | The RHEL 8 /var/log directory must be owned by root."
        "MEDIUM | RHEL-08-010260 | PATCH | The RHEL 8 /var/log directory must be group-owned by root."
  ansible.builtin.file:
      path: /var/log
      owner: root
      group: root
      mode: "{{ rhel8stig_var_log_perm }}"
  when:
      - rhel_08_010240 or
        rhel_08_010250 or
        rhel_08_010260
  tags:
      - CAT2
      - RHEL-08-010240
      - RHEL-08-010250
      - RHEL-08-010260
      - CCI-001314
      - SRG-OS-000206-GPOS-00084
      - SV-230248r627750_rule
      - SV-230249r627750_rule
      - SV-230250r627750_rule
      - V-230248
      - V-230249
      - V-230250
      - permissions

- name: "MEDIUM | RHEL-08-020081 | PATCH | RHEL 8 must prevent a user from overriding the session idle-delay setting for the graphical user interface."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/locks/session_rhel_08_020081
      content: |
          /org/gnome/desktop/session/idle-delay
      mode: 'u-x,go-wx'
  notify: dconf update
  when:
      - rhel_08_020081
      - rhel8stig_always_configure_dconf
      - rhel8stig_gui
  tags:
      - RHEL-08-020081
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-244538r743863_rule
      - V-244538

- name: "MEDIUM | RHEL-08-020082 | PATCH | RHEL 8 must prevent a user from overriding the screensaver lock-enabled setting for the graphical user interface."
  ansible.builtin.copy:
      dest: /etc/dconf/db/local.d/locks/session_rhel_08_020082
      content: |
          /org/gnome/desktop/screensaver/lock-enabled
      mode: 'u-x,go-wx'
  notify: dconf update
  when:
      - rhel_08_020082
      - rhel8stig_always_configure_dconf
      - rhel8stig_gui
  tags:
      - RHEL-08-020082
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-244539r743866_rule
      - V-244539
      - dconf

- name: "MEDIUM | RHEL-08-010287 | PATCH | The RHEL 8 SSH daemon must be configured to use system-wide crypto policies."
  ansible.builtin.lineinfile:
      path: /etc/sysconfig/sshd
      regexp: '^CRYPTO_POLICY='
      line: '# CRYPTO_POLICY='
  notify: change_requires_reboot
  when:
      - rhel_08_010287
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010287
      - CAT2
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-244526r809334_rule
      - V-244526
      - ssh

- name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package."
  block:
      - name: "MEDIUM | RHEL-08-010293 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Get current FIPS mode state"
        ansible.builtin.shell: fips-mode-setup --check
        changed_when: false
        failed_when: rhel_08_010293_pre_fips_check.stdout is not defined
        register: rhel_08_010293_pre_fips_check

      - name: "MEDIUM | RHEL-08-010293 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption in the OpenSSL package. | Enable FIPS"
        ansible.builtin.shell: fips-mode-setup --enable
        notify: change_requires_reboot
        when: '"disabled" in rhel_08_010293_pre_fips_check.stdout'
  when:
      - rhel_08_010293
  tags:
      - RHEL-08-010293
      - CAT2
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-230254r627750_rule
      - V-230254
      - fips

- name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | Add MACs"
  block:
      - name: "MEDIUM | RHEL-08-010290 | AUDIT | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs"
        ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i MACs | sed s'/-o//g'
        changed_when: false
        register: rhel8stig_current_macs

      - name: "MEDIUM | RHEL-08-010290 | PATCH | The RHEL 8 SSH daemon must be configured to use only Message Authentication Codes (MACs) employing FIPS 140-2 validated cryptographic hash algorithms. | get MACs"
        ansible.builtin.lineinfile:
            path: /etc/crypto-policies/back-ends/opensshserver.config
            regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_macs.stdout }}(.*$)'
            line: '\g<1>-o{{ rhel8stig_ssh_macs }}\g<2>'
            backrefs: true
        notify: change_requires_reboot
  when:
      - rhel_08_010290
  tags:
      - CAT2
      - RHEL-08-010290
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-230251r917870_rule
      - V-230251
      - fips

- name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Add Ciphers"
  block:
      - name: "MEDIUM | RHEL-08-010291 | AUDIT | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | get Ciphers"
        ansible.builtin.shell: grep "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i Ciphers | sed s'/-o//g'
        changed_when: false
        register: rhel8stig_current_ciphers

      - name: "MEDIUM | RHEL-08-010291 | PATCH | The RHEL 8 operating system must implement DoD-approved encryption to protect the confidentiality of SSH server connections. | Apply Ciphers"
        ansible.builtin.lineinfile:
            path: /etc/crypto-policies/back-ends/opensshserver.config
            regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_ciphers.stdout }}(.*$)'
            line: '\g<1>-o{{ rhel8stig_ssh_ciphers }}\g<2>'
            backrefs: true
        notify: change_requires_reboot
  when:
      - rhel_08_010291
  tags:
      - CAT2
      - RHEL-08-010291
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-230252r917873_rule
      - V-230252
      - fips

- name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package."
  block:
      - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package."
        ansible.builtin.lineinfile:
            path: /etc/crypto-policies/back-ends/opensslcnf.config
            regexp: '^MinProtocol ='
            line: "MinProtocol = TLSv1.2"
        notify: change_requires_reboot
        when: ansible_facts.packages['crypto-policies'][0].version | int < 20210617

      - name: "MEDIUM | RHEL-08-010294 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the OpenSSL package."
        ansible.builtin.lineinfile:
            path: /etc/crypto-policies/back-ends/opensslcnf.config
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
        notify: change_requires_reboot
        with_items:
            - { regexp: '^TLS.MinProtocol = ', line: "TLS.MinProtocol = TLSv1.2" }
            - { regexp: '^DTLS.MinProtocol =', line: "DTLS.MinProtocol = DTLSv1.2" }
        when: ansible_facts.packages['crypto-policies'][0].version | int >= 20210617
  when:
      - rhel_08_010294
  tags:
      - RHEL-08-010294
      - CAT2
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-230255r809382_rule
      - V-230255
      - openssl

- name: "MEDIUM | RHEL-08-010295 | PATCH | The RHEL 8 operating system must implement DoD-approved TLS encryption in the GnuTLS package"
  ansible.builtin.lineinfile:
      path: /etc/crypto-policies/back-ends/gnutls.config
      regexp: '^(.*)\+VERS-ALL:'
      line: '\1{{ rhel8stig_gnutls_encryption }}'
      backrefs: true
  notify: change_requires_reboot
  when:
      - rhel_08_010295
  tags:
      - RHEL-08-010295
      - CAT2
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-230256r792859_rule
      - V-230256
      - gnutls

- name: |
        "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive."
        "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root."
        "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root or a system account."
  block:
      - name: |
              "MEDIUM | RHEL-08-010300 | AUDIT | RHEL 8 system commands must have mode 0755 or less permissive. | Get commands less permissive"
              "MEDIUM | RHEL-08-010310 | AUDIT | RHEL 8 system commands must be owned by root. | Get commands not owned by root"
              "MEDIUM | RHEL-08-010320 | AUDIT | RHEL 8 system commands must be group-owned by root or a system account. | Get commands no group-owned by root"
        ansible.builtin.shell: "find -L /bin /sbin /usr/bin /usr/sbin /usr/local/bin /usr/local/sbin -perm /0022 -o ! -user root -o ! -group root"
        changed_when: false
        failed_when: false
        register: rhel_08_010300_commands

      - name: |
              "MEDIUM | RHEL-08-010300 | PATCH | RHEL 8 system commands must have mode 0755 or less permissive. | Set permissions"
              "MEDIUM | RHEL-08-010310 | PATCH | RHEL 8 system commands must be owned by root. | Set permissions"
              "MEDIUM | RHEL-08-010320 | PATCH | RHEL 8 system commands must be group-owned by root or a system account. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            owner: root
            group: root
            mode: "{{ rhel8stig_sys_commands_perm }}"
            force: true
        with_items:
            - "{{ rhel_08_010300_commands.stdout_lines }}"
  when:
      - rhel_08_010300 or
        rhel_08_010310 or
        rhel_08_010320
  tags:
      - CAT2
      - RHEL-08-010300
      - RHEL-08-010310
      - RHEL-08-010320
      - CCI-001499
      - SRG-OS-000259-GPOS-00100
      - SV-230257r792862_rule
      - SV-230258r627750_rule
      - SV-230259r792864_rule
      - V-230257
      - V-230258
      - V-230259
      - permissions

- name: |
        "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive."
        "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root."
        "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account."
  block:
      - name: |
              "MEDIUM | RHEL-08-010330 | AUDIT | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less"
              "MEDIUM | RHEL-08-010340 | AUDIT | RHEL 8 library files must be owned by root. | Get library files not owned by root"
              "MEDIUM | RHEL-08-010350 | AUDIT | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root"
        ansible.builtin.shell: "find -L /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type f -o ! -user root -o ! -group root"
        changed_when: false
        failed_when: false
        register: rhel_08_010330_library_files

      - name: |
              "MEDIUM | RHEL-08-010330 | PATCH | RHEL 8 library files must have mode 0755 or less permissive. | Get library files with mode 0755 or less"
              "MEDIUM | RHEL-08-010340 | PATCH | RHEL 8 library files must be owned by root. | Get library files not owned by root"
              "MEDIUM | RHEL-08-010350 | PATCH | RHEL 8 library files must be group-owned by root or a system account. | Get library files not group-owned by root"
        ansible.builtin.file:
            path: "{{ item }}"
            owner: "{{ rhel_08_010340 | ternary('root',omit) }}"
            group: "{{ rhel_08_010350 | ternary('root',omit) }}"
            mode: "{{ rhel_08_010330 | ternary(rhel8stig_lib_file_perm,omit) }}"
        with_items:
            - "{{ rhel_08_010330_library_files.stdout_lines }}"
  when:
      - rhel_08_010330 or
        rhel_08_010340 or
        rhel_08_010350
  tags:
      - CAT2
      - RHEL-08-010330
      - RHEL-08-010340
      - RHEL-08-010350
      - CCI-001499
      - SRG-OS-000259-GPOS-00100
      - SV-230260r792867_rule
      - SV-230261r627750_rule
      - SV-230262r627750_rule
      - V-230260
      - V-230261
      - V-230262
      - permissions

- name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive."
  block:
      - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Get directories"
        ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 -perm /0022 -type d
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_08_010331_directories

      - name: "MEDIUM | RHEL-08-010331 | AUDIT | RHEL 8 library directories must have mode 755 or less permissive. | Alert on permissions"
        ansible.builtin.debug:
            msg:
                - "Alert! There are library directories that have permessions set to more permissive than 755"
                - "To conform to STIG standards, please review these directories and set to 755 or less permissive"
                - "{{ rhel_08_010331_directories.stdout_lines }}"
        when:
            - not rhel8stig_disruption_high
            - rhel_08_010331_directories.stdout | length > 0

      - name: "MEDIUM | RHEL-08-010331 | PATCH | RHEL 8 library directories must have mode 755 or less permissive. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            state: directory
            mode: "{{ rhel8stig_lib_dir_perms }}"
        with_items:
            - "{{ rhel_08_010331_directories.stdout_lines }}"
        when:
            - rhel8stig_disruption_high
            - rhel_08_010331_directories.stdout | length > 0
  when:
      - rhel_08_010331
  tags:
      - RHEL-08-010331
      - CAT2
      - CCI-001499
      - SV-251707r809345_rule
      - V-251707
      - permissions

- name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root."
  block:
      - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Get directories"
        ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -user root -type d
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_08_010341_directories

      - name: "MEDIUM | RHEL-08-010341 | AUDIT | RHEL 8 library directories must be owned by root. | Alert on permissions"
        ansible.builtin.debug:
            msg:
                - "Alert! There are library directories that are not owned by root"
                - "To conform to STIG standards, please review these directories and change owner to root"
                - "{{ rhel_08_010341_directories.stdout_lines }}"
        when:
            - rhel_08_010341_directories.stdout | length > 0
            - not rhel8stig_disruption_high

      - name: "MEDIUM | RHEL-08-010341 | PATCH | RHEL 8 library directories must be owned by root. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            state: directory
            owner: root
        with_items:
            - "{{ rhel_08_010341_directories.stdout_lines }}"
        when:
            - rhel_08_010341_directories.stdout | length > 0
            - rhel8stig_disruption_high
  when:
      - rhel_08_010341
  tags:
      - RHEL-08-010341
      - CAT2
      - CCI-001499
      - SRG-OS-000259-GPOS-00100
      - SV-251708r810012_rule
      - V-251708
      - permissions

- name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account."
  block:
      - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Get directories"
        ansible.builtin.shell: find /lib /lib64 /usr/lib /usr/lib64 ! -group root -type d
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_08_010351_directories

      - name: "MEDIUM | RHEL-08-010351 | AUDIT | RHEL 8 library directories must be group-owned by root or a system account. | Alert on permissions"
        ansible.builtin.debug:
            msg:
                - "Alert! There are library directories that are not group owned by root."
                - "To conform to STIG standards, please review these directories and change group owner to root"
                - "{{ rhel_08_010351_directories.stdout_lines }}"
        when:
            - rhel_08_010351_directories.stdout | length > 0
            - not rhel8stig_disruption_high

      - name: "MEDIUM | RHEL-08-010351 | PATCH | RHEL 8 library directories must be group-owned by root or a system account. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            state: directory
            group: root
        with_items:
            - "{{ rhel_08_010351_directories.stdout_lines }}"
        when:
            - rhel_08_010351_directories.stdout | length > 0
            - rhel8stig_disruption_high
  when:
      - rhel_08_010351
  tags:
      - RHEL-08-010351
      - CAT2
      - CCI-001499
      - SRG-OS-000259-GPOS-00100
      - SV-251709r810014_rule
      - V-251709
      - permissions

- name: "MEDIUM | RHEL-08-010358 | PATCH | RHEL 8 must be configured to allow sending email notifications of unauthorized configuration changes to designated personnel. | pkg install"
  ansible.builtin.package:
      name: mailx
      state: present
  when:
      - "'mailx' not in ansible_facts.packages"
      - rhel_08_010358
  tags:
      - RHEL-08-010358
      - CAT2
      - CCI-001744
      - SRG-OS-000363-GPOS-00150
      - SV-251710r880730_rule
      - V-256974
      - mailx

- name: "MEDIUM | RHEL-08-010359 | PATCH | The RHEL 8 operating system must use a file integrity tool to verify correct operation of all security functions. | pkg install"
  ansible.builtin.package:
      name: aide
      state: present
  when:
      - "'aide' not in ansible_facts.packages"
      - rhel_08_010359
  tags:
      - RHEL-08-010359
      - CAT2
      - CCI-002696
      - SRG-OS-000445-GPOS-00199
      - SV-251710r880730_rule
      - V-251710
      - aide

- name: "MEDIUM | RHEL-08-010360 | PATCH | The RHEL 8 file integrity tool must notify the system administrator when changes to the baseline configuration or anomalies in the operation of any security functions are discovered within an organizationally defined frequency."
  ansible.builtin.cron:
      name: 'Run AIDE integrity check {{ rhel8stig_aide_cron.special_time }}'
      user: "{{ rhel8stig_aide_cron.user }}"
      cron_file: "{{ rhel8stig_aide_cron.cron_file }}"
      job: "{{ rhel8stig_aide_cron.job + ((rhel8stig_aide_cron.notify_by_mail) | ternary(rhel8stig_aide_cron.notify_cmd,'')) }}"
      minute: "{{ rhel8stig_aide_cron.minute | default((rhel8stig_cron_special_disable and
              rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) |
              ternary('0', omit)) | default(omit) }}"
      hour: "{{ rhel8stig_aide_cron.hour | default((rhel8stig_cron_special_disable and
              rhel8stig_aide_cron.special_time in ['daily', 'weekly', 'monthly']) |
              ternary('0', omit)) | default(omit) }}"
      weekday: "{{ rhel8stig_aide_cron.weekday | default((rhel8stig_cron_special_disable and
              rhel8stig_aide_cron.special_time in ['weekly']) |
              ternary('0', omit)) | default(omit) }}"
      day: "{{ rhel8stig_aide_cron.day | default((rhel8stig_cron_special_disable and
              rhel8stig_aide_cron.special_time in ['monthly']) |
              ternary('1', omit)) | default(omit) }}"
      special_time: "{{ (rhel8stig_cron_special_disable and
              rhel8stig_aide_cron.special_time in ['hourly', 'daily', 'weekly', 'monthly']) |
              ternary(omit, rhel8stig_aide_cron.special_time) }}"
  when:
      - rhel_08_010360
      - rhel8stig_disruption_high
      - "'crontabs' in ansible_facts.packages"
  tags:
      - RHEL-08-010360
      - CAT2
      - CCI-001744
      - SRG-OS-000363-GPOS-00150
      - SRG-OS-000446-GPOS-00200
      - SRG-OS-000447-GPOS-00201
      - SV-230263r902716_rule
      - V-230263
      - aide
      - cron

- name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution."
  block:
      - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Use template to create file"
        ansible.posix.sysctl:
            name: kernel.kexec_load_disabled
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"

      - name: "MEDIUM | RHEL-08-010372 | AUDIT | RHEL 8 must prevent the loading of a new kernel for later execution. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "kernel.kexec_load_disabled = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_010372_conflicting_settings

      - name: "MEDIUM | RHEL-08-010372 | PATCH | RHEL 8 must prevent the loading of a new kernel for later execution. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^kernel.kexec_load_disabled = 0'
            state: absent
        loop: "{{ rhel_08_010372_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_010372_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file
  when:
      - rhel_08_010372
  tags:
      - RHEL-08-010372
      - CAT2
      - CCI-001749
      - SRG-OS-000366-GPOS-00153
      - SV-230266r833290_rule
      - V-230266
      - sysctl

- name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks."
  block:
      - name: "MEDIUM | RHEL-08-010373 | AUDIT | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "fs.protected_symlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_010373_conflicting_settings

      - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^fs.protected_symlinks = 0'
            state: absent
        loop: "{{ rhel_08_010373_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_010373_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-010373 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on symlinks. | Set sysctl"
        ansible.posix.sysctl:
            name: fs.protected_symlinks
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_010373
  tags:
      - RHEL-08-010373
      - CAT2
      - CCI-002165
      - SRG-OS-000312-GPOS-00122
      - SV-230267r833292_rule
      - V-230267
      - sysctl

- name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks."
  block:
      - name: "MEDIUM | RHEL-08-010374 | AUDIT | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "fs.protected_hardlinks = 0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_010374_conflicting_settings

      - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^fs.protected_hardlinks = 0'
            state: absent
        loop: "{{ rhel_08_010374_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_010374_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-010374 | PATCH | RHEL 8 must enable kernel parameters to enforce discretionary access control on hardlinks."
        ansible.posix.sysctl:
            name: fs.protected_hardlinks
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_010374
  tags:
      - RHEL-08-010374
      - CAT2
      - CCI-002165
      - SRG-OS-000312-GPOS-00122
      - SV-230268r833294_rule
      - V-230268
      - sysctl

- name: "MEDIUM | RHEL-08-010379 | PATCH | RHEL 8 must specify the default 'include' directory for the /etc/sudoers file."
  ansible.builtin.lineinfile:
      path: /etc/sudoers
      regex: '^#includedir'
      line: '#includedir /etc/sudoers.d'
      validate: '/usr/sbin/visudo -cf %s'
  when:
      - rhel_08_010379
  tags:
      - RHEL-08-010379
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251711r833385_rule
      - V-251711
      - sudoers

- name: "MEDIUM | RHEL-08-010380 | PATCH | RHEL 8 must require users to provide a password for privilege escalation."
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^((?!#|{% for name in rhel8stig_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
      replace: '\1PASSWD\2'
  with_items:
      - "{{ rhel8stig_sudoers_files.stdout_lines }}"
  when:
      - rhel_08_010380
      - rhel8stig_using_password_auth
  tags:
      - RHEL-08-010380
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-230271r833301_rule
      - V-230271
      - sudo

- name: "MEDIUM | RHEL-08-010381 | PATCH | RHEL 8 must require users to reauthenticate for privilege escalation."
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#].*)!authenticate(.*)'
      replace: '\1authenticate\2'
  with_items:
      - "{{ rhel8stig_sudoers_files.stdout_lines }}"
  when:
      - rhel_08_010381
      - rhel8stig_using_password_auth
  tags:
      - RHEL-08-010381
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-230272r627750_rule
      - V-230272
      - sudo

- name: "MEDIUM | RHEL-08-010390 | PATCH | RHEL 8 must have the packages required for multifactor authentication installed."
  ansible.builtin.package:
      name: openssl-pkcs11
      state: present
  when:
      - rhel_08_010390
      - "'openssl-pkcs11' not in ansible_facts.packages"
  tags:
      - RHEL-08-010390
      - CAT2
      - CCI-001948
      - SRG-OS-000375-GPOS-00160
      - SV-230273r743943_rule
      - V-230273
      - multifactor

- name: "MEDIUM | RHEL-08-010400 | PATCH | RHEL 8 must implement certificate status checking for multifactor authentication."
  community.general.ini_file:
      path: '{{ rhel8stig_sssd_conf }}'
      state: "{{ item.state }}"
      section: "{{ item.section | default(omit) }}"
      option: "certificate_verification"
      value: "{{ item.value }}"
  with_items:
      - { value: 'no_ocsp, no_verification', state: absent }
      - { value: 'no_ocsp', state: absent }
      - { value: 'no_verification', state: absent }
      - { value: 'ocsp_dgst=sha1', state: present, section: "sssd" }
  notify: restart sssd
  when:
      - rhel_08_010400
      - rhel8stig_sssd_conf_present.stat.exists
  tags:
      - RHEL-08-010400
      - CAT2
      - CCI-001948
      - SRG-OS-000375-GPOS-00160
      - SV-230274r858741_rule
      - V-230274
      - multifactor

- name: "MEDIUM | RHEL-08-010410 | PATCH | RHEL 8 must accept Personal Identity Verification (PIV) credentials."
  ansible.builtin.package:
      name: opensc
      state: present
  when:
      - rhel_08_010410
  tags:
      - RHEL-08-010410
      - CAT2
      - CCI-001953
      - SRG-OS-000376-GPOS-00161
      - SV-230275r627750_rule
      - V-230275
      - opensc
      - piv

- name: "MEDIUM | RHEL-08-010420 | AUDIT |  RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution."
  block:
      - name: "MEDIUM | RHEL-08-010420 | AUDIT |  RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Get NX bit state"
        ansible.builtin.shell: dmesg |grep "NX ("
        changed_when: false
        failed_when: false
        register: rhel_08_010420_nx_bit_state

      - name: "MEDIUM | RHEL-08-010420 | AUDIT |  RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX being set"
        ansible.builtin.debug:
            msg:
                - "Good News! You are setup with execute disable active."
        when: '"(Execute Disable) protection: active" in rhel_08_010420_nx_bit_state.stdout'

      - name: "MEDIUM | RHEL-08-010420 | AUDIT |  RHEL 8 must implement non-executable data to protect its memory from unauthorized code execution. | Message on NX no being set"
        ansible.builtin.debug:
            msg:
                - "WARNING!! You do not have execute disable active. Please change the setting in your BIOS settings"
        when: '"(Execute Disable) protection: active" not in rhel_08_010420_nx_bit_state.stdout'
  when:
      - rhel_08_010420
  tags:
      - RHEL-08-010420
      - CAT2
      - CCI-002824
      - SRG-OS-000433-GPOS-00192
      - SV-230276r627750_rule
      - V-230276

- name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks."
  block:
      - name: "MEDIUM | RHEL-08-010421 | AUDIT | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings"
        ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"'
        changed_when: false
        failed_when: false
        register: rhel8stig_010421_grub_cmdline_linux

      - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 as active"
        ansible.builtin.shell: grubby --update-kernel=ALL --args="page_poison=1"
        when:
            - (ansible_proc_cmdline.page_poison is defined and ansible_proc_cmdline.page_poison != '1') or
              (ansible_proc_cmdline.page_poison is not defined)

      - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if doesn't exist"
        ansible.builtin.lineinfile:
            path: /etc/default/grub
            regexp: '^GRUB_CMDLINE_LINUX='
            line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010421_grub_cmdline_linux.stdout }} page_poison=1"'
        when: '"page_poison=" not in rhel8stig_010421_grub_cmdline_linux.stdout'

      - name: "MEDIUM | RHEL-08-010421 | PATCH | RHEL 8 must clear the page allocator to prevent use-after-free attacks. | Set page poison 1 for kernel updates if exists"
        ansible.builtin.replace:
            path: /etc/default/grub
            regexp: 'page_poison=([^\s|"])+'
            replace: "page_poison=1"
        when: '"page_poison=" in rhel8stig_010421_grub_cmdline_linux.stdout'
  when:
      - rhel_08_010421
  tags:
      - RHEL-08-010421
      - CAT2
      - CCI-001084
      - SRG-OS-000134-GPOS-00068
      - SV-230277r792884_rule
      - V-230277
      - grub

- name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls."
  block:
      - name: "MEDIUM | RHEL-08-010422 | AUDIT | RHEL 8 must disable virtual syscalls. | Get GRUB_CMDLINE_LINUX settings"
        ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"'
        changed_when: false
        failed_when: false
        register: rhel8stig_010422_grub_cmdline_linux

      - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none as active"
        ansible.builtin.shell: grubby --update-kernel=ALL --args="vsyscall=none"
        when:
            - (ansible_proc_cmdline.vsyscall is defined and ansible_proc_cmdline.vsyscall != 'none') or
              (ansible_proc_cmdline.vsyscall is not defined)

      - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if doesn't exist"
        ansible.builtin.lineinfile:
            path: /etc/default/grub
            regexp: '^GRUB_CMDLINE_LINUX='
            line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010422_grub_cmdline_linux.stdout }} vsyscall=none"'
        when: '"vsyscall=" not in rhel8stig_010422_grub_cmdline_linux.stdout'

      - name: "MEDIUM | RHEL-08-010422 | PATCH | RHEL 8 must disable virtual syscalls. | Set vsyscall none for kernel updates if exists"
        ansible.builtin.replace:
            path: /etc/default/grub
            regexp: 'vsyscall=([^\s|"])+'
            replace: "vsyscall=none"
        when: '"vsyscall=" in rhel8stig_010422_grub_cmdline_linux.stdout'
  when:
      - rhel_08_010422
  tags:
      - RHEL-08-010422
      - CAT2
      - CCI-001084
      - SRG-OS-000134-GPOS-00068
      - SV-230278r792886_rule
      - V-230278
      - grub

- name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks."
  block:
      - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Get GRUB_CMDLINE_LINUX settings"
        ansible.builtin.shell: grep GRUB_CMDLINE_LINUX= /etc/default/grub | cut -f2 -d'"'
        changed_when: false
        failed_when: false
        register: rhel8stig_010423_grub_cmdline_linux

      - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P as active"
        ansible.builtin.shell: grubby --update-kernel=ALL --args="slub_debug=P"
        when:
            - (ansible_proc_cmdline.slub_debug is defined and ansible_proc_cmdline.slub_debug != 'P') or
              (ansible_proc_cmdline.slub_debug is not defined)

      - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if doesn't exist"
        ansible.builtin.lineinfile:
            path: /etc/default/grub
            regexp: '^GRUB_CMDLINE_LINUX='
            line: 'GRUB_CMDLINE_LINUX="{{ rhel8stig_010423_grub_cmdline_linux.stdout }} slub_debug=P"'
        when: '"slub_debug=" not in rhel8stig_010423_grub_cmdline_linux.stdout'

      - name: "MEDIUM | RHEL-08-010423 | PATCH | RHEL 8 must clear SLUB/SLAB objects to prevent use-after-free attacks. | Set slub_debug to P for kernel updates if exists"
        ansible.builtin.replace:
            path: /etc/default/grub
            regexp: 'slub_debug=([^\s|"])+'
            replace: "slub_debug=P"
        when: '"slub_debug=" in rhel8stig_010423_grub_cmdline_linux.stdout'
  when:
      - rhel_08_010423
  tags:
      - RHEL-08-010423
      - CAT2
      - CCI-001084
      - SRG-OS-000134-GPOS-00068
      - SV-230279r951598_rule
      - V-230279
      - grub

- name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution."
  block:
      - name: " MEDIUM | RHEL-08-010430 | AUDIT | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "kernel.randomize_va_space = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_010430_conflicting_settings

      - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: "kernel.randomize_va_space = [^2]"
            state: absent
        loop: "{{ rhel_08_010430_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_010430_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: " MEDIUM | RHEL-08-010430 | PATCH | RHEL 8 must implement address space layout randomization (ASLR) to protect its memory from unauthorized code execution. | Use template to create file"
        ansible.posix.sysctl:
            name: kernel.randomize_va_space
            value: 2
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_010430
  tags:
      - RHEL-08-010430
      - CAT2
      - CCI-002824
      - SRG-OS-000433-GPOS-00193
      - SV-230280r858767_rule
      - V-230280
      - sysctl

- name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive."
  block:
      - name: "MEDIUM | RHEL-08-010480 | AUDIT | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Find files"
        ansible.builtin.shell: find /etc/ssh -name ssh_host*_key.pub
        changed_when: false
        failed_when: rhel_08_010480_public_files.rc not in [ 0, 1 ]
        register: rhel_08_010480_public_files

      - name: "MEDIUM | RHEL-08-010480 | PATCH | The RHEL 8 SSH public host key files must have mode 0644 or less permissive. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            mode: "{{ rhel8stig_ssh_pub_key_perm }}"
        with_items:
            - "{{ rhel_08_010480_public_files.stdout_lines }}"
        notify: restart sshd
        when: rhel_08_010480_public_files.stdout | length > 0
  when:
      - rhel_08_010480
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010480
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230286r627750_rule
      - V-230286
      - ssh

- name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive."
  block:
      - name: "MEDIUM | RHEL-08-010490 | AUDIT | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Find files"
        ansible.builtin.shell: find /etc/ssh -name ssh_host*_key
        changed_when: false
        failed_when: rhel_08_010490_private_host_key_files.rc not in [ 0, 1 ]
        register: rhel_08_010490_private_host_key_files

      - name: "MEDIUM | RHEL-08-010490 | PATCH | The RHEL 8 SSH private host key files must have mode 0640 or less permissive. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            mode: "{{ rhel8stig_ssh_priv_key_perm }}"
        with_items:
            - "{{ rhel_08_010490_private_host_key_files.stdout_lines }}"
        notify: restart sshd
        when: rhel_08_010490_private_host_key_files.stdout | length > 0
  when:
      - rhel_08_010490
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010490
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230287r880714_rule
      - V-230287
      - ssh

- name: "MEDIUM | RHEL-08-010500 | PATCH | The RHEL 8 SSH daemon must perform strict mode checking of home directory configuration files."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?StrictModes'
      line: 'StrictModes yes'
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010500
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010500
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230288r858701_rule
      - V-230288
      - ssh

- name: "MEDIUM | RHEL-08-010520 | PATCH | The RHEL 8 SSH daemon must not allow authentication using known host’s authentication."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?IgnoreUserKnownHosts'
      line: 'IgnoreUserKnownHosts yes'
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010520
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010520
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230290r951602_rule
      - V-230290
      - ssh

- name: "MEDIUM | RHEL-08-010521 | PATCH | The RHEL 8 SSH daemon must not allow Kerberos authentication, except to fulfill documented and validated mission requirements."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?KerberosAuthentication'
      line: "KerberosAuthentication no"
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010521
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010521
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230291r952105_rule
      - V-230291
      - ssh

- name: "MEDIUM | RHEL-08-010522 | PATCH | The RHEL 8 SSH daemon must not allow GSSAPI authentication, except to fulfill documented and validated mission requirements."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?GSSAPIAuthentication'
      line: "GSSAPIAuthentication no"
      validate: '/usr/sbin/sshd -T -f %s'
  when:
      - rhel_08_010522
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010522
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244528r952106_rule
      - V-244528
      - ssh

- name: "MEDIUM | RHEL-08-010543 | PATCH | A separate RHEL 8 filesystem must be used for the /tmp directory."
  ansible.builtin.debug:
      msg: "WARNING!! /tmp is not mounted on a separate partition"
  changed_when:
      - rhel8stig_audit_complex
  when:
      - rhel_08_010543
      - rhel8stig_complex
      - ansible_mounts | selectattr('mount', 'match', '^/tmp$') | list | length == 0
  tags:
      - RHEL-08-010543
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230295r627750_rule
      - V-230295
      - complexity-high
      - mounts
      - tmp

- name: "MEDIUM | RHEL-08-010544 | PATCH | RHEL 8 must use a separate file system for /var/tmp."
  ansible.builtin.debug:
      msg:
          - "WARNING!! /var/tmp is not mounted on a seperate partition"
  changed_when:
      - rhel8stig_audit_complex
  when:
      - rhel_08_010544
      - rhel8stig_complex
      - ansible_mounts | selectattr('mount', 'match', '^/var/tmp$') | list | length == 0
  tags:
      - RHEL-08-010544
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244529r902737_rule
      - V-244529
      - mounts

- name: "MEDIUM | RHEL-08-010550 | PATCH | The RHEL 8 must not permit direct logons to the root account using remote access via SSH."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?PermitRootLogin'
      line: 'PermitRootLogin no'
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010550
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-010550
      - CAT2
      - CCI-000770
      - SRG-OS-000109-GPOS-00056
      - SV-230296r951608_rule
      - V-230296
      - ssh

- name: "MEDIUM | RHEL-08-010561 | PATCH | The rsyslog service must be running in RHEL 8."
  ansible.builtin.service:
      name: rsyslog.service
      enabled: true
  notify: restart rsyslog
  when:
      - rhel_08_010561
  tags:
      - RHEL-08-010561
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230298r627750_rule
      - V-230298
      - rsyslog

- name: "MEDIUM | RHEL-08-010570 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that contain user home directories."
  ansible.posix.mount:
      path: "{{ item.mount }}"
      state: mounted
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      opts: "defaults{{ rhel_08_010570| ternary (',nosuid', '') }}"
  loop: "{{ ansible_facts.mounts }}"
  when:
      - item.mount == '/home'
      - rhel_08_010570
  tags:
      - RHEL-08-010570
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230299r627750_rule
      - V-230299
      - mounts
      - home

- name: "MEDIUM | RHEL-08-010571 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot directory."
  ansible.posix.mount:
      path: "{{ item.mount }}"
      state: mounted
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      opts: "defaults{{ rhel_08_010571| ternary (',nosuid', '') }}"
  loop: "{{ ansible_facts.mounts }}"
  when:
      - item.mount == '/boot'
      - rhel_08_010571
  tags:
      - RHEL-08-010571
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230300r743959_rule
      - V-230300
      - mounts
      - boot

- name: "MEDIUM | RHEL-08-010572 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on the /boot/efi directory."
  ansible.posix.mount:
      path: "{{ item.mount }}"
      state: mounted
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      opts: "defaults{{ rhel_08_010572| ternary (',nosuid', '') }}"
  loop: "{{ ansible_facts.mounts }}"
  when:
      - item.mount == '/boot/efi'
      - rhel_08_010572
  tags:
      - RHEL-08-010572
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244530r809336_rule
      - V-244530
      - mounts
      - efi

- name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions."
  block:
      - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Get mounts"
        ansible.builtin.shell: mount | grep '^/dev\S* on /\S' | grep --invert-match 'nodev' | awk '{print $1,$3,$5,$6}' | sed 's/[()]//g'
        changed_when: false
        check_mode: false
        register: rhel8stig_010580_mounts_nodev

      - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Split results"
        ansible.builtin.set_fact:
            rhel8stig_010580_mounts: "{{ rhel8stig_010580_mounts_nodev.stdout_lines | map('regex_replace', ld_mount_regex, ld_mount_yaml) | map('from_yaml') | list }}"

        with_items: "{{ rhel8stig_010580_mounts_nodev.stdout_lines }}"
        vars:
            ld_mount_regex: >-
                ^(?P<device>[^'']*)\s(?P<mpoint>[^'']*)\s(?P<fs>[^'']*)\s(?P<opts>[^'']*)
            ld_mount_yaml: |
                device: >-4
                    \g<device>
                mpoint: >-4
                    \g<mpoint>
                fs: >-4
                    \g<fs>
                opts: >-4
                    \g<opts>
        when: rhel8stig_010580_mounts_nodev.stdout | length > 0

      - name: "MEDIUM | RHEL-08-010580 | PATCH | RHEL 8 must prevent special devices on non-root local partitions. | Set value"
        ansible.posix.mount:
            path: "{{ item.mpoint }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fs }}"
            opts: "{{ item.opts }},nodev"
        with_items:
            - "{{ rhel8stig_010580_mounts | default([]) }}"
        loop_control:
            label: "{{ item.mpoint }}"
        when:
            - item.device != "/"
            - "'odev' not in item.opts"
            - rhel8stig_010580_mounts_nodev.stdout | length > 0
  when:
      - rhel_08_010580
  tags:
      - RHEL-08-010580
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230301r627750_rule
      - V-230301
      - mounts

- name: "MEDIUM | RHEL-08-010590 | PATCH | RHEL 8 must prevent code from being executed on file systems that contain user home directories."
  ansible.posix.mount:
      path: "{{ item.mount }}"
      state: mounted
      src: "{{ item.device }}"
      fstype: "{{ item.fstype }}"
      opts: "{{ item.options }},{% if rhel_08_010570 is sameas true %}nosuid,{% endif %}noexec"
  loop: "{{ ansible_facts.mounts }}"
  when:
      - rhel_08_010590
      - item.mount == '/home'
      - "'noexec' not in item.options"
  tags:
      - RHEL-08-010590
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230302r627750_rule
      - V-230302
      - mounts
      - home

## Note Azure is currently default mounting /mnt for cloud-init this will cause issues
## refer to https://github.com/Azure/WALinuxAgent/issues/1971

- name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media."
  block:
      - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /media"
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "{{ item.options }},nodev"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - item.mount == '/media'
            - rhel_08_010600
            - "'nodev' not in item.options"

      - name: "MEDIUM | RHEL-08-010600 | PATCH | RHEL 8 must prevent special devices on file systems that are used with removable media. | Set nodev to /mnt"
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "{{ item.options }},nodev"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel_08_010600
            - item.mount == '/mnt'
            - "'nodev' not in item.options"
  when:
      - rhel_08_010600
      - not rhel8stig_system_is_chroot
  tags:
      - RHEL-08-010600
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230303r627750_rule
      - V-230303
      - mounts
      - media

- name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media."
  block:
      - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /media"
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "{{ item.options }},noexec"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel_08_010610
            - item.mount == '/media'
            - "'noexec' not in item.options"

      - name: "MEDIUM | RHEL-08-010610 | PATCH | RHEL 8 must prevent code from being executed on file systems that are used with removable media. | Set noexec to /mnt"
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "{{ item.options }},noexec"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel_08_010610
            - item.mount == '/mnt'
            - "'noexec' not in item.options"
  when:
      - rhel_08_010610
      - not rhel8stig_system_is_chroot
  tags:
      - RHEL-08-010610
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230304r627750_rule
      - V-230304
      - mounts
      - media

- name: "MEDIUM | RHEL-08-010620 | PATCH |  RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media."
  block:
      - name: "MEDIUM | RHEL-08-010620 | PATCH |  RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /media"
        ansible.posix.mount:
            ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "{{ item.options }},nosuid"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel_08_010620
            - item.mount == '/media'
            - "'nosuid' not in item.options"

      - name: "MEDIUM | RHEL-08-010620 | PATCH |  RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are used with removable media. | Set nosuid to /mnt"
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "{{ item.options }},nosuid"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel_08_010620
            - item.mount == '/mnt'
            - "'nosuid' not in item.options"
  when:
      - rhel_08_010620
      - not rhel8stig_system_is_chroot
  tags:
      - RHEL-08-010620
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230305r627750_rule
      - V-230305
      - mounts
      - media

- name: "MEDIUM | RHEL-08-010630 | PATCH | RHEL 8 must prevent code from being executed on file systems that are imported via Network File System (NFS)."
  ansible.posix.mount:
      path: "{{ item.mount }}"
      fstype: "{{ item.fstype }}"
      src: "{{ item.device }}"
      opts: "{{ item.options }},noexec"
      state: mounted
  loop: "{{ ansible_facts.mounts }}"
  when:
      - rhel_08_010630
      - "'nfs' in item.fstype"
      - "'noexec' not in item.options"
  tags:
      - RHEL-08-010630
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230306r627750_rule
      - V-230306
      - mounts
      - nfs

- name: "MEDIUM | RHEL-08-010640 | PATCH | RHEL 8 must prevent special devices on file systems that are imported via Network File System (NFS)."
  ansible.posix.mount:
      path: "{{ item.mount }}"
      fstype: "{{ item.fstype }}"
      src: "{{ item.device }}"
      opts: "{{ item.options }},{% if rhel_08_010630 is sameas true %}noexec,{% endif %}nodev"
      state: mounted
  loop: "{{ ansible_facts.mounts }}"
  when:
      - rhel_08_010640
      - "'nfs' in item.fstype"
      - "'nodev' not in item.options"
  tags:
      - RHEL-08-010640
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230307r627750_rule
      - V-230307
      - mounts
      - nfs

- name: "MEDIUM | RHEL-08-010650 | PATCH | RHEL 8 must prevent files with the setuid and setgid bit set from being executed on file systems that are imported via Network File System (NFS)"
  ansible.posix.mount:
      path: "{{ item.mount }}"
      fstype: "{{ item.fstype }}"
      src: "{{ item.device }}"
      opts: "{{ item.options }},{% if rhel_08_010630 is sameas true %}noexec,{% endif %}{% if rhel_08_010640 is sameas true %}nodev,{% endif %}nosuid"
      state: mounted
  loop: "{{ ansible_facts.mounts }}"
  when:
      - rhel_08_010650
      - "'nfs' in item.fstype"
      - "'nosuid' not in item.options"
  tags:
      - RHEL-08-010650
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230308r627750_rule
      - V-230308
      - mounts
      - nfs

- name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs."
  block:
      - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Find world-writable files on all partitions"
        ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm -002
        changed_when: false
        failed_when: false
        register: rhel_08_010660_world_writable_files
        with_items:
            - "{{ ansible_mounts }}"
        loop_control:
            label: "{{ item.mount }}"

      - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set fact for flattening"
        ansible.builtin.set_fact:
            rhel_08_010660_change_perms: "{{ rhel_08_010660_world_writable_files.results | map(attribute='stdout_lines') | flatten }}"

      - name: "MEDIUM | RHEL-08-010660 | AUDIT | Local RHEL 8 initialization files must not execute world-writable programs. | Compare to home directories"
        ansible.builtin.include_tasks: audit_homedirinifiles.yml
        loop:
            - "{{ rhel_08_stig_interactive_homedir_inifiles }}"
        loop_control:
            loop_var: ini_item
        when:
            - rhel_08_010660_change_perms != []

      - name: "MEDIUM | RHEL-08-010660 | PATCH | Local RHEL 8 initialization files must not execute world-writable programs. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            mode: 'u+x,go-w'
            state: file
        with_items:
            - "{{ rhel_08_010660_change_perms }}"
        when:
            - rhel_08_010660_change_perms != []
  when:
      - rhel_08_010660
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-010660
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230309r627750_rule
      - V-230309
      - permissions

- name: "MEDIUM | RHEL-08-010670 | PATCH | RHEL 8 must disable kernel dumps unless needed."
  ansible.builtin.service:
      name: kdump
      enabled: false
      state: stopped
  when:
      - rhel_08_010670
      - "'kexec-tools' in ansible_facts.packages"
      - not rhel8stig_kdump_needed
  tags:
      - RHEL-08-010670
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230310r627750_rule
      - V-230310
      - kdump

- name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern."
  block:
      - name: "MEDIUM | RHEL-08-010671 | AUDIT | RHEL 8 must disable the kernel.core_pattern."
        ansible.builtin.shell: grep -rsP 'kernel.core_pattern\s*=\s*.*(?<!\|\/bin\/false)$' /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_010671_conflicting_settings

      - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern."
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: kernel.core_pattern\s*=\s*.*(?<!\|\/bin\/false)$
            state: absent
        loop: "{{ rhel_08_010671_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_010671_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-010671 | PATCH | RHEL 8 must disable the kernel.core_pattern."
        ansible.posix.sysctl:
            name: kernel.core_pattern
            value: "|/bin/false"
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_010671
  tags:
      - RHEL-08-010671
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230311r858769_rule
      - V-230311
      - sysctl

- name: "MEDIUM | RHEL-08-010672 | PATCH | RHEL 8 must disable acquiring, saving, and processing core dumps."
  ansible.builtin.systemd:
      name: systemd-coredump.socket
      masked: true
      daemon_reload: true
  notify: systemctl daemon-reload
  when:
      - rhel_08_010672
      - ansible_service_mgr == 'systemd'
  tags:
      - RHEL-08-010672
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230312r833308_rule
      - V-230312
      - systemd

- name: "MEDIUM | RHEL-08-010673 | PATCH | RHEL 8 must disable core dumps for all users."
  ansible.builtin.lineinfile:
      path: /etc/security/limits.conf
      regexp: '^\*.*hard.*core'
      line: "*               hard    core            0"
      insertbefore: '# End of file'
  when:
      - rhel_08_010673
  tags:
      - RHEL-08-010673
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230313r627750_rule
      - V-230313
      - security
      - limits

- name: "MEDIUM | RHEL-08-010674 | PATCH | RHEL 8 must disable storing core dumps."
  ansible.builtin.lineinfile:
      path: /etc/systemd/coredump.conf
      regexp: '^(S|s)torage=|#(S|s)torage='
      line: "Storage=none"
  when:
      - rhel_08_010674
      - "'systemd' in ansible_facts.packages"
  tags:
      - RHEL-08-010674
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230314r627750_rule
      - V-230314
      - systemd

- name: "MEDIUM | RHEL-08-010675 | PATCH | RHEL 8 must disable core dump backtraces."
  ansible.builtin.lineinfile:
      path: /etc/systemd/coredump.conf
      regexp: '^(P|p)rocess(S|s)ize(M|m)ax=|(P|p)rocess(S|s)ize(M|m)ax='
      line: "ProcessSizeMax=0"
  when:
      - rhel_08_010675
      - "'systemd' in ansible_facts.packages"
  tags:
      - RHEL-08-010675
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230315r627750_rule
      - V-230315
      - systemd

# NOTE: The following does not address that /etc/resolv.conf can be modified by DHCP when running networkmanager, and thus having two DNS servers may be a config setting not on the hosts, but on the DHCP service.
- name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured."
  block:
      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Audit the /etc/nsswitch.conf"
        ansible.builtin.shell: grep "dns" /etc/nsswitch.conf | grep -v "#"
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_08_010680_nsswitch_check

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine if networkmanager is setting /etc/resolv.conf"
        ansible.builtin.shell: grep -c "# Generated by NetworkManager" /etc/resolv.conf
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_08_010680_networkmanager_check

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Determine number of nameserver lines in /etc/resolv.conf"
        ansible.builtin.shell: grep -i "nameserver" /etc/resolv.conf | grep -v "#" | wc -l
        changed_when: false
        failed_when: false
        check_mode: false
        register: rhel_08_010680_nameserver_count

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Change resolv.conf if dns is not present in nsswitch.conf"
        ansible.builtin.shell: echo -n > /etc/resolv.conf && chattr +i /etc/resolv.conf
        when:
            - "'dns' not in rhel_08_010680_nsswitch_check.stdout"

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf if dns is set in nsswitch.conf"
        ansible.builtin.lineinfile:
            dest: /etc/resolv.conf
            regexp: "{{ item.regexp }}"
            line: "nameserver {{ item.line }}"
            insertafter: "{{ item.after }}"
        with_items:  # Written as lineinfile replaces last found so reverse logic to keep order of servers
            - { regexp: ^nameserver, line: '{{ rhel8stig_dns_servers.1 }}', after: ^search }
            - { regexp: '^nameserver (?!{{ rhel8stig_dns_servers.1 }})', line: '{{ rhel8stig_dns_servers.0 }}', after: '^nameserver {{ rhel8stig_dns_servers.1 }}' }
        when:
            - not rhel8_stig_use_resolv_template
            - rhel_08_010680_networkmanager_check.stdout == '0'
            - rhel_08_010680_nameserver_count.stdout | int >= 2

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | Set resolv.conf using a template when not NetworkManager controlled"
        ansible.builtin.template:
            src: resolv.conf.j2
            dest: /etc/resolv.conf
            owner: root
            group: root
            mode: 'u-x,go-wx'
        when:
            - rhel_08_010680_networkmanager_check.stdout == '0'
            - rhel8_stig_use_resolv_template

      - name: "MEDIUM | RHEL-08-010680 | PATCH | For RHEL 8 systems using Domain Name Servers (DNS) resolution, at least two name servers must be configured. | If networkmanager is setting resolv.conf, debug msg to audit/change DNS settings in dhcp."
        ansible.builtin.debug:
            msg: "The file /etc/resolv.conf is managed by network manager and/or shows less than two DNS servers configured. Please correct this in your DHCP configurations."
        changed_when: true
        when:
            - rhel_08_010680_networkmanager_check.stdout != '0' or rhel_08_010680_nameserver_count.stdout| int < 2
            - not rhel8_stig_use_resolv_template
  when:
      - rhel_08_010680
      - not rhel8stig_system_is_chroot
      - not system_is_ec2
  tags:
      - RHEL-08-010680
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230316r627750_rule
      - V-230316
      - dns

- name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory."
  block:
      - name: "MEDIUM | RHEL-08-010690 | AUDIT | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory. | Find path files"
        ansible.builtin.shell: find "{{ item }}" -maxdepth 1 -type f | xargs grep "PATH=" | cut -d':' -f1 | xargs realpath
        with_items: "{{ discovered_interactive_users_home.stdout_list }}"
        register: rhel_08_010690_ini_path_grep_list
        changed_when: false
        failed_when: false

      - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory."
        ansible.builtin.debug:
            msg: You will need to audit and correct executable paths set in "{{ item }}" to contain only paths that resolve to the user's home directory.
        with_items:
            - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}"

      - name: "MEDIUM | RHEL-08-010690 | PATCH | Executable search paths within the initialization files of all local interactive RHEL 8 users must only contain paths that resolve to the system default or the users home directory."
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: "^PATH="
            line: "{{ rhel_08_010690_user_path }}"
        with_items:
            - "{{ rhel_08_010690_ini_path_grep_list.results | map(attribute='stdout_lines') | list }}"
  when:
      - rhel_08_010690
      - rhel8stig_disruption_high
      - rhel8stig_change_user_path
  tags:
      - RHEL-08-010690
      - CAT2
      - CCI-000366
      - SV-230317r792896_rule
      - V-230317
      - complexity-high

- name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group."
  block:
      - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Get directories"
        ansible.builtin.shell: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -uid +999
        changed_when: false
        failed_when: false
        register: rhel_08_010700_world_writable_directories

      - name: "MEDIUM | RHEL-08-010700 | AUDIT | All RHEL 8 world-writable directories must be owned by root, sys, bin, or an application group. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            owner: "{{ rhel8stig_ww_dir_owner }}"
        with_items:
            - "{{ rhel_08_010700_world_writable_directories.stdout_lines }}"
        when:
            - rhel_08_010700_world_writable_directories.stdout is defined
            - rhel_08_010700_world_writable_directories.stdout | length > 0
  when:
      - rhel_08_010700
  tags:
      - RHEL-08-010700
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230318r743960_rule
      - V-230318
      - permissions

- name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group."
  block:
      - name: "MEDIUM | RHEL-08-010710 | AUDIT | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Get directories"
        ansible.builtin.shell: find {{ ansible_mounts | map(attribute='mount') | join(' ') }} -xdev -type d -perm -0002 -gid +999
        changed_when: false
        failed_when: false
        register: rhel_08_010710_world_writable_directories

      - name: "MEDIUM | RHEL-08-010710 | PATCH | All RHEL 8 world-writable directories must be group-owned by root, sys, bin, or an application group. | Set permissions"
        ansible.builtin.file:
            path: "{{ item }}"
            group: "{{ rhel8stig_ww_dir_grpowner }}"
        with_items:
            - "{{ rhel_08_010710_world_writable_directories.stdout_lines }}"
        when:
            - rhel_08_010710_world_writable_directories.stdout is defined
            - rhel_08_010710_world_writable_directories.stdout | length > 0
  when:
      - rhel_08_010710
  tags:
      - RHEL-08-010710
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230319r743961_rule
      - V-230319
      - permissions

- name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file."
  block:
      - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get users with no home directory"
        ansible.builtin.shell: pwck -r | grep user | cut -f2 -d"'"
        changed_when: false
        failed_when: false
        register: rhel_08_010720_users_no_home_dir

      - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Get interactive users with no home directory"
        ansible.builtin.shell: grep vboxadd /etc/passwd | awk -F ":" '$3>{{ rhel8stig_interactive_uid_start }} {print $1}'
        changed_when: false
        failed_when: false
        register: rhel_08_010720_user_list

      - name: "MEDIUM | RHEL-08-010720 | PATCH | All RHEL 8 local interactive users must have a home directory assigned in the /etc/passwd file. | Message out user list"
        ansible.builtin.debug:
            msg:
                - "WARNING!! The users listed below are interactive users with no home directories. Please create home directories to confirm with STIG standards"
                - "{{ rhel_08_010720_user_list.stdout_lines }}"
        when:
            - rhel_08_010720_user_list.stdout is defined
            - rhel_08_010720_user_list.stdout | length > 0
  when:
      - rhel_08_010720
  tags:
      - RHEL-08-010720
      - CAT2
      - CCI-000366
      - SV-230320r627750_rule
      - V-230320

# Required for RHEL-08-010730
- name: "MEDIUM | RHEL-08-010750 | PATCH | All RHEL 8 local interactive user home directories defined in the /etc/passwd file must exist."
  ansible.builtin.file:
      path: "{{ item }}"
      state: directory
  with_items: "{{ discovered_interactive_users_home.stdout_lines }}"
  when:
      - rhel_08_010750
  tags:
      - RHEL-08-010750
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230323r627750_rule
      - V-230323
      - permissions

- name: "MEDIUM | RHEL-08-010730 | PATCH | All RHEL 8 local interactive user home directories must have mode 0750 or less permissive."
  ansible.builtin.file:
      path: "{{ item }}"
      mode: "{{ rhel8stig_local_int_home_perms }}"
  with_items:
      - "{{ discovered_interactive_users_home.stdout_lines }}"
  when:
      - rhel_08_010730
  tags:
      - RHEL-08-010730
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230321r627750_rule
      - V-230321
      - permissions

- name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive."
  block:
      - name: "MEDIUM | RHEL-08-010731 | PATCH | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Bring files into compliance"
        ansible.builtin.file:
            path: "{{ item }}"
            mode: "{{ rhel8stig_local_int_home_file_perms }}"
        with_items:
            - "{{ discovered_interactive_users_home.stdout_lines }}"
        when: rhel8stig_disruption_high

      - name: "MEDIUM | RHEL-08-010731 | AUDIT | All RHEL 8 local interactive user home directory files must have mode 0750 or less permissive. | Alert on out of compliance files"
        ansible.builtin.debug:
            msg:
                - "Alert! Below are the files that are in interactive user folders but permissiosn less restrictiv than 0750."
                - "Please review the files to bring into STIG compliance"
                - "{{ discovered_interactive_users_home.stdout_lines }}"
        when: not rhel8stig_disruption_high
  when:
      - rhel_08_010731
  tags:
      - RHEL-08-010731
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244531r743842_rule
      - V-244531
      - permissions

- name: "MEDIUM | RHEL-08-010740 | PATCH | All RHEL 8 local interactive user home directories must be group-owned by the home directory owner’s primary group."
  ansible.builtin.file:
      path: "{{ item.dir }}"
      group: "{{ item.gid }}"
      state: directory
  with_items: "{{ rhel8stig_passwd }}"
  loop_control:
      label: "{{ rhel8stig_passwd_label }}"
  when:
      - rhel_08_010740
      - item.uid is search(discovered_interactive_uids.stdout)
  tags:
      - RHEL-08-010740
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230322r880717_rule
      - V-230322
      - permissions

- name: "MEDIUM | RHEL-08-010741 | PATCH | RHEL 8 must be configured so that all files and directories contained in local interactive user home directories are group-owned by a group of which the home directory owner is a member."
  ansible.builtin.file:
      path: "{{ item.dir }}"
      group: "{{ item.gid }}"
      state: directory
      recurse: true
  with_items: "{{ rhel8stig_passwd }}"
  loop_control:
      label: "{{ rhel8stig_passwd_label }}"
  when:
      - rhel_08_010741
      - item.uid is search(discovered_interactive_uids.stdout)
  tags:
      - RHEL-08-010741
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244532r743845_rule
      - V-244532
      - permissions

- name: "MEDIUM | RHEL-08-010760 | PATCH | All RHEL 8 local interactive user accounts must be assigned a home directory upon creation."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: '.*?CREATE_HOME.*'
      line: CREATE_HOME     yes
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_010760
  tags:
      - RHEL-08-010760
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230324r627750_rule
      - V-230324
      - login
      - home

- name: "MEDIUM | RHEL-08-010770 | PATCH | All RHEL 8 local initialization files must have mode 0740 or less permissive."
  ansible.builtin.file:
      path: "{{ item }}"
      mode: "{{ rhel8stig_local_int_perm }}"
  with_items: "{{ rhel_08_stig_interactive_homedir_inifiles }}"
  when:
      - rhel_08_010770
      - rhel8stig_disruption_high
      - rhel_08_stig_interactive_homedir_inifiles is defined
  tags:
      - RHEL-08-010770
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230325r917879_rule
      - V-230325
      - complexity-high

- name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner."
  block:
      - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Get nouser files"
        ansible.builtin.shell: find / -nouser
        changed_when: false
        failed_when: false
        register: rhel_08_010780_nouser_files

      - name: "MEDIUM | RHEL-08-010780 | AUDIT | All RHEL 8 files and directories must have a valid owner. | Alert nouser files"
        ansible.builtin.debug:
            msg:
                - "WARNING!! There are files with no user assigned. Please review files listed below and assign owner"
                - "{{ rhel_08_010780_nouser_files.stdout_lines }}"
        when: rhel_08_010780_nouser_files.stdout | length > 0
  when:
      - rhel_08_010780
  tags:
      - RHEL-08-010780
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230326r627750_rule
      - V-230326
      - permissions

- name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner."
  block:
      - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Get nogroup files"
        ansible.builtin.shell: find / -nogroup
        changed_when: false
        failed_when: false
        register: rhel_08_010790_nogroup_files

      - name: "MEDIUM | RHEL-08-010790 | AUDIT | All RHEL 8 files and directories must have a valid group owner. | Alert nogroup files"
        ansible.builtin.debug:
            msg:
                - "WARNING!! There are files with no group assigned. Please review files listed below and assign group"
                - "{{ rhel_08_010790_nogroup_files.stdout_lines }}"
        when: rhel_08_010790_nogroup_files.stdout | length > 0
  when:
      - rhel_08_010790
  tags:
      - RHEL-08-010790
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230327r627750_rule
      - V-230327
      - permissions

- name: "MEDIUM | RHEL-08-010800 | PATCH | A separate RHEL 8 filesystem must be used for user home directories (such as /home or an equivalent)."
  ansible.builtin.debug:
      msg: "WARNING!!  /home is not mounted on a separate partition"
  changed_when:
      - rhel8stig_audit_complex
  when:
      - rhel_08_010800
      - rhel8stig_complex
      - "'/home' not in ansible_facts.mounts"
  tags:
      - RHEL-08-010800
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SSV-230328r902723_rule
      - V-23032
      - complexity-high
      - mounts
      - home

- name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?PermitUserEnvironment'
      line: 'PermitUserEnvironment no'
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_010830
      - rhel8stig_ssh_required
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-010830
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00229
      - SV-230330r951610_rule
      - V-230330
      - ssh
      - disruption_high

- name: "MEDIUM | RHEL-08-020000 | AUDIT | RHEL 8 temporary user accounts must be provisioned with an expiration time of 72 hours or less."
  ansible.builtin.debug:
      msg:
          - "WARNING!!  Please check temporary accounts for expiration dates to be 72 hours or less."
          - "To do this please run sudo chage -l account_name for the accounts you need to check"
          - "The results will display the Account Expires information"
          - 'To set account expire run sudo chage -E `date -d "+3 days" +%Y-%m-%d` account_name'
  when:
      - rhel_08_020000
  tags:
      - RHEL-08-020000
      - CAT2
      - CCI-000016
      - SRG-OS-000002-GPOS-00002
      - SV-230331r627750_rule
      - V-230331
      - accounts

- name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."
  block:
      - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020010 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertafter: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020010
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020010
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230332r627750_rule
      - V-230332
      - pamd

- name: "MEDIUM | RHEL-08-020011 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^deny =|^\# deny ='
      line: "deny = {{ rhel8stig_pam_faillock.attempts }}"
  when:
      - rhel_08_020011
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020011
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230333r743966_rule
      - V-230333
      - pamd

- name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."
  block:
      - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020012 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertafter: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020012
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020012
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230334r627750_rule
      - V-230334
      - pamd

- name: "MEDIUM | RHEL-08-020013 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^fail_interval =|^\# fail_interval ='
      line: "fail_interval = {{ rhel8stig_pam_faillock.interval }}"
  when:
      - rhel_08_020013
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020013
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230335r743969_rule
      - V-230335
      - pamd

- name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period."
  block:
      - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth       required pam_env.so'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020014 | PATCH | RHEL 8 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account\s+requireds+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertbefore: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020014
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020014
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230336r627750_rule
      - V-230336
      - pamd

- name: "MEDIUM | RHEL-08-020015 | PATCH | RHEL 8 must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^unlock_time =|^\# unlock_time ='
      line: "unlock_time = {{ rhel8stig_pam_faillock.unlock_time }}"
  when:
      - rhel_08_020015
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020015
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230337r743972_rule
      - V-230337
      - pamd

- name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist."
  block:
      - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist.| Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth       required pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth       required pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020016 | PATCH | RHEL 8 must ensure account lockouts persist. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account    required pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertafter: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020016
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020016
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230338r627750_rule
      - V-230338
      - pamd

- name: "MEDIUM | RHEL-08-020017 | PATCH | RHEL 8 must ensure account lockouts persist."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^dir =|^\# dir ='
      line: "dir = {{ rhel8stig_pam_faillock.dir }}"
  when:
      - rhel_08_020017
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020017
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230339r743975_rule
      - V-230339
      - pamd

- name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."
  block:
      - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur.| Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth       required pam_env.so'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020018 | PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertbefore: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020018
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020018
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230340r627750_rule
      - V-230340
      - pamd

- name: "MEDIUM | RHEL-08-020019| PATCH | RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^silent|^\# silent'
      line: "silent"
  when:
      - rhel_08_020019
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020019
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230341r743978_rule
      - V-230341
      - pamd

- name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur."
  block:
      - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth       required pam_env.so'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020020 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertbefore: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020020
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020020
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230342r646872_rule
      - V-230342
      - pamd

- name: "MEDIUM | RHEL-08-020021 | PATCH | RHEL 8 must log user name information when unsuccessful logon attempts occur."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^audit|^\# audit'
      line: "audit"
  when:
      - rhel_08_020021
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020021
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230343r743981_rule
      - V-230343
      - pamd

- name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."
  block:
      - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set preauth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so preauth'
            line: "auth       required pam_faillock.so preauth dir={{ rhel8stig_pam_faillock.dir }} silent audit deny={{ rhel8stig_pam_faillock.attempts }}{{ (rhel8stig_pam_faillock.fail_for_root) | ternary(' even_deny_root ',' ') }}fail_interval={{ rhel8stig_pam_faillock.interval }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}"
            insertafter: '^auth       required pam_env.so'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set authfail"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^auth\s+required\s+pam_faillock.so authfail'
            line: 'auth       required pam_faillock.so authfail dir={{ rhel8stig_pam_faillock.dir }} unlock_time={{ rhel8stig_pam_faillock.unlock_time }}'
            insertafter: '^auth'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth

      - name: "MEDIUM | RHEL-08-020022 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period. | Set account faillock"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/{{ item }}"
            regexp: '^account\s+required\s+pam_faillock.so'
            line: 'account    required pam_faillock.so'
            insertbefore: '^account'
        notify: restart sssd
        with_items:
            - system-auth
            - password-auth
  when:
      - rhel_08_020022
      - ansible_distribution_version is version('8.1', '<=')
  tags:
      - RHEL-08-020022
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230344r646874_rule
      - V-230344
      - pamd

- name: "MEDIUM | RHEL-08-020023 | PATCH | RHEL 8 must include root when automatically locking an account until the locked account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period."
  ansible.builtin.lineinfile:
      path: "/etc/security/faillock.conf"
      regexp: '^even_deny_root|^\# even_deny_root'
      line: "even_deny_root"
  when:
      - rhel_08_020023
      - ansible_distribution_version is version('8.2', '>=')
  tags:
      - RHEL-08-020023
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-230345r743984_rule
      - V-230345
      - pamd

- name: |
    "MEDIUM | RHEL-08-020027 | PATCH | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory
     MEDIUM | RHEL-08-020028 | PATCH | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory."
  block:
      - name: |
          "MEDIUM | RHEL-08-020027 | PATCH | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory
           MEDIUM | RHEL-08-020028 | PATCH | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory."
        community.general.sefcontext:
            target: "{{ rhel8stig_pam_faillock.dir }}(/.*)?"
            ftype: a
            setype: faillog_t
            seuser: system_u
            state: present
        register: add_faillock_secontext

      - name: |
          "MEDIUM | RHEL-08-020027 | RHEL 8 systems, versions 8.2 and above, must configure SELinux context type to allow the use of a non-default faillock tally directory.
           MEDIUM | RHEL-08-020028 | RHEL 8 systems below version 8.2 must configure SELinux context type to allow the use of a non-default faillock tally directory."
        ansible.builtin.shell: "restorecon -irvF {{ rhel8stig_pam_faillock.dir }}"
        when: add_faillock_secontext.changed  # noqa no-handler
  when:
      - rhel_08_020027 or
        rhel_08_020028
  tags:
      - RHEL-08-020027
      - RHEL-08-020028
      - CAT2
      - CCI-000044
      - SRG-OS-000021-GPOS-00005
      - SV-250315r793009_rule
      - SV-250316r793010_rule
      - V-250315
      - V-250316
      - selinux

- name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions."
  block:
      - name: "MEDIUM | RHEL-08-020030 | AUDIT | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Check for lock-enabled"
        ansible.builtin.shell: "grep -IlR ^lock-enabled /etc/dconf/db/*"
        changed_when: false
        failed_when: false
        register: rhel_08_020030_lock_enabled

      - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if exists"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: ^lock-enabled
            line: lock-enabled=true
        loop: "{{ rhel_08_020030_lock_enabled.stdout_lines }}"
        when: rhel_08_020030_lock_enabled.stdout | length > 0
        notify: dconf update

      - name: "MEDIUM | RHEL-08-020030 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for graphical user sessions. | Set if does not exist"
        ansible.builtin.lineinfile:
            path: /etc/dconf/db/local.d/00-screensaver
            create: true
            regexp: '^lock-enabled'
            owner: root
            group: root
            mode: 'u-x,go-wx'
            line: |
                [org/gnome/desktop/screensaver]
                # Set this to true to lock the screen when the screensaver activates
                lock-enabled=true
        when: rhel_08_020030_lock_enabled.stdout | length == 0
        notify: dconf update
  when:
      - rhel_08_020030
      - "'dconf' in ansible_facts.packages"
      - rhel8stig_always_configure_dconf
  tags:
      - RHEL-08-020030
      - CAT2
      - CCI-000056
      - SRG-OS-000028-GPOS-00009
      - SV-230347r627750_rule
      - V-230347
      - gui

- name: "MEDIUM | RHEL-08-020035 | PATCH | RHEL 8 must terminate idle user sessions."
  ansible.builtin.lineinfile:
      path: "/etc/systemd/logind.conf"
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
  loop:
      - { regexp: '^(?#)\s*StopIdleSessionSec\s*=', line: "StopIdleSessionSec={{ rhel_08_020035_idlesessiontimeout }}" }
      - { regexp: '^(?#)\s*KillUserProccesses\s*=', line: "KillUserProccesses=no" }
  notify: Restart_systemdlogin
  when:
      - rhel_08_020035
  tags:
      - RHEL-08-020035
      - CAT2
      - CCI-001133
      - SRG-OS-000163-GPOS-00072
      - SV-257258r942953_rule
      - V-257258
      - session

- name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions."
  block:
      - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Install tmux"
        ansible.builtin.package:
            name: tmux
            state: present
        when: "'tmux' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-020040 | PATCH | RHEL 8 must enable a user session lock until that user re-establishes access using established identification and authentication procedures for command line sessions. | Configure tmux"
        ansible.builtin.lineinfile:
            path: /etc/tmux.conf
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            create: true
            owner: root
            group: root
            mode: 'u-x,go-wx'
        loop:
            - { regexp: '^set -g lock-command', line: 'set -g lock-command vlock' }
            - { regexp: '^bind X lock-session', line: 'bind X lock-session' }
  when:
      - rhel_08_020040
  tags:
      - RHEL-08-020040
      - CAT2
      - CCI-000056
      - SRG-OS-000028-GPOS-00009
      - SV-230348r902725_rule
      - V-230348
      - tmux

- name: "MEDIUM | RHEL-08-020041 | PATCH | RHEL 8 must ensure session control is automatically started at shell initialization. | Set tmux.sh if file exists"
  ansible.builtin.blockinfile:
      path: /etc/profile.d/tmux.sh
      marker: "# <!-- {mark} ANSIBLE LOCKDOWN RHEL-08-020041 MANAGED BLOCK -->"
      block: |
          ### Updated to recognize other session control per Red Hat Case 03115293
          [ $( /bin/id -u ) -eq 0 ] && [ x$TMUX = x ] && exec tmux
          [[ $( /bin/tty ) =~ '/dev/tty' ]] && [ -n "$PS1" -a -z "$TMUX" ] && exec tmux
      create: true
  when:
      - rhel_08_020041
  tags:
      - RHEL-08-020041
      - CAT2
      - CCI-000056
      - SRG-OS-000028-GPOS-00009
      - SV-230349r917920_rule
      - V-230349
      - tmux

- name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed."
  block:
      - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param"
        ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/*"
        changed_when: false
        failed_when: false
        register: rhel_08_020050_removal_action

      - name: "MEDIUM | RHEL-08-020050 | AUDIT | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Find removal-action param"
        ansible.builtin.shell: "grep -IlR removal-action= /etc/dconf/db/* | sed 's:.*/::'"
        changed_when: false
        failed_when: false
        register: rhel_08_020050_removal_action_file

      - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set removal-action param if doesn't exist"
        ansible.builtin.lineinfile:
            path: /etc/dconf/db/distro.d/20-authselect
            create: true
            owner: root
            group: root
            mode: 'u-x,go-wx'
            line: |
                [org/gnome/settings-daemon/peripherals/smartcard]
                removal-action='lock-screen'
        when: rhel_08_020050_removal_action.stdout_lines | length == 0
        notify: dconf update

      - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Update removal-action if exists"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: ^removal-action=
            line: removal-action='lock-screen'
        loop: "{{ rhel_08_020050_removal_action.stdout_lines }}"
        when: rhel_08_020050_removal_action.stdout_lines | length > 0
        notify: dconf update

      - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db"
        ansible.builtin.lineinfile:
            path: '/etc/dconf/db/distro.d/locks/{{ item }}'
            line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
        loop: "{{ rhel_08_020050_removal_action_file.stdout_lines }}"
        when: rhel_08_020050_removal_action_file.stdout_lines | length > 0
        notify: dconf update

      - name: "MEDIUM | RHEL-08-020050 | PATCH | RHEL 8 must be able to initiate directly a session lock for all connection types using smartcard when the smartcard is removed. | Set smartcard section of db"
        ansible.builtin.lineinfile:
            path: /etc/dconf/db/distro.d/locks/20-authselect
            create: true
            line: /org/gnome/settings-daemon/peripherals/smartcard/removal-action
            owner: root
            group: root
            mode: 'u-x,g-wx,o-rwx'
        when: rhel_08_020050_removal_action_file.stdout_lines | length == 0
        notify: dconf update
  when:
      - rhel_08_020050
      - "'dconf' in ansible_facts.packages"
  tags:
      - RHEL-08-020050
      - CAT2
      - CCI-000056
      - SRG-OS-000028-GPOS-00009
      - SV-230351r792899_rule
      - V-230351
      - smartcard

- name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity."
  block:
      - name: "MEDIUM | RHEL-08-020060 | AUDIT | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Find idle-delay parameter"
        ansible.builtin.shell: 'grep -IlR idle-delay= /etc/dconf/db/*'
        changed_when: false
        failed_when: false
        register: rhel_08_020060_idle_delay_param

      - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if doesn't exist"
        ansible.builtin.lineinfile:
            path: /etc/dconf/db/local.d/00-screensaver
            create: true
            owner: root
            group: root
            mode: 'u-x,g-wx,o-rwx'
            regexp: '^idle-delay'
            line: |
                [org/gnome/desktop/session]
                # Set the lock time out to 900 seconds before the session is considered idle
                idle-delay=uint32 900
        notify: dconf update
        when: rhel_08_020060_idle_delay_param.stdout_lines | length == 0

      - name: "MEDIUM | RHEL-08-020060 | PATCH | RHEL 8 must automatically log out graphical user sessions after 15 minutes of inactivity. | Set idle-delay if exists"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: '^idle-delay='
            line: idle-delay=uint32 900
            owner: root
            group: root
            mode: 'u-x,g-wx,o-rwx'
        loop: "{{ rhel_08_020060_idle_delay_param.stdout_lines }}"
        when: rhel_08_020060_idle_delay_param.stdout_lines | length > 0
        notify: dconf update
  when:
      - rhel_08_020060
      - "'dconf' in ansible_facts.packages"
      - rhel8stig_always_configure_dconf
  tags:
      - RHEL-08-020060
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-230352r646876_rule
      - V-230352
      - gui

- name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity."
  block:
      - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Install tmux if needed"
        ansible.builtin.package:
            name: tmux
            state: present
        when: "'tmux' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-020070 | PATCH | RHEL 8 must automatically log out command line user sessions after 15 minutes of inactivity. | Set tmux settings"
        ansible.builtin.lineinfile:
            path: /etc/tmux.conf
            regexp: '^set -g lock-after-time'
            line: "set -g lock-after-time {{ rhel8stig_tmux_lock_after_time }}"
            owner: root
            group: root
            mode: 'u-x,go-wx'
  when:
      - rhel_08_020070
  tags:
      - RHEL-08-020070
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-230353r627750_rule
      - V-230353
      - tmux

- name: "MEDIUM | RHEL-08-020080 | PATCH | RHEL 8 must prevent a user from overriding graphical user interface settings."
  ansible.builtin.lineinfile:
      path: /etc/dconf/db/local.d/locks/session
      create: true
      line: /org/gnome/desktop/screensaver/lock-delay
      owner: root
      group: root
      mode: 'u-x,g-wx,o-rwx'
  when:
      - rhel_08_020080
      - "'dconf' in ansible_facts.packages"
      - rhel8stig_always_configure_dconf
  tags:
      - RHEL-08-020080
      - CAT2
      - CCI-000057
      - SRG-OS-000029-GPOS-00010
      - SV-230354r743990_rule
      - V-230354
      - gui

- name: "MEDIUM | RHEL-08-020090 | PATCH | RHEL 8 must map the authenticated identity to the user or group account for PKI-based authentication."
  ansible.builtin.lineinfile:
      path: "{{ rhel8stig_sssd_conf }}"
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      owner: root
      group: root
      mode: 'u-x,go-rwx'
  with_items:
      - { regexp: '^\[{{ rhel8stig_sssd.certmap }}\]', line: '[{{ rhel8stig_sssd.certmap }}]' }
      - { regexp: '^matchrule {{ rhel8stig_sssd.matchrule }}', line: 'matchrule {{ rhel8stig_sssd.matchrule }}' }
      - { regexp: '^maprule = {{ rhel8stig_sssd.maprule }}', line: 'maprule = {{ rhel8stig_sssd.maprule }}' }
      - { regexp: 'domains = {{ rhel8stig_sssd.domains }}', line: 'domains = {{ rhel8stig_sssd.domains }}' }
  notify: restart sssd
  when:
      - rhel_08_020090
      - rhel8stig_sssd_conf_present.stat.exists
  tags:
      - RHEL-08-020090
      - CAT2
      - CCI-000187
      - SRG-OS-000068-GPOS-00036
      - SV-230355r858743_rule
      - V-230355
      - authentication

- name: "MEDIUM | RHEL-08-020100 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the password-auth file."
  ansible.builtin.lineinfile:
      path: /etc/pam.d/password-auth
      regexp: '^password\s+(required|requisite)\s+pam_pwquality.so'
      line: 'password   requisite pam_pwquality.so'
      insertafter: '^password'
      owner: root
      group: root
      mode: "{{ rhel8stig_pamd_file_perms }}"
  when:
      - rhel_08_020100
  tags:
      - RHEL-08-020100
      - CAT2
      - CCI-000366
      - SRG-OS-000069-GPOS-00037
      - SV-230356r902728_rule
      - V-230356
      - pamd

- name: "MEDIUM | RHEL-08-020101 | PATCH | RHEL 8 must ensure the password complexity module is enabled in the system-auth file."
  ansible.builtin.lineinfile:
      path: /etc/pam.d/system-auth
      regexp: '^password\s+(required|requisite)\s+pam_pwquality.so'
      line: 'password   requisite pam_pwquality.so'
      insertafter: '^password'
      owner: root
      group: root
      mode: "{{ rhel8stig_pamd_file_perms }}"
  when:
      - rhel_08_020101
  tags:
      - RHEL-08-020101
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251713r902740_rule
      - V-251713
      - pamd

- name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less."
  block:
      - name: "MEDIUM | RHEL-08-020102 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Get pam_pwquality state"
        ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*requisite.*pam_pwquality.so"
        changed_when: false
        failed_when: false
        register: rhel_08_020102_pwquality_status

      - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Set if no pw required pam_pwquality"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            regexp: '^password\s+(required|requisite)\s+pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}'
            line: 'password   requisite pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}'
            insertafter: '^password'
            owner: root
            group: root
            mode: "{{ rhel8stig_pamd_file_perms }}"
        when: rhel_08_020102_pwquality_status.stdout | length == 0

      - name: "MEDIUM | RHEL-08-020102 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the system-auth file is configured for three retries or less. | Replace if already exists"
        community.general.pamd:
            name: system-auth
            type: password
            control: requisite
            module_path: pam_pwquality.so
            module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}'
            state: args_present
        when: rhel_08_020102_pwquality_status.stdout | length > 0
  when:
      - rhel_08_020102
      - ansible_distribution_version is version('8.3', '<=')
  tags:
      - RHEL-08-020102
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251714r902743_rule
      - V-251714
      - pamd

- name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less."
  block:
      - name: "MEDIUM | RHEL-08-020103 | AUDIT | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Get pam_pwquality state"
        ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*requisite.*pam_pwquality.so"
        changed_when: false
        failed_when: false
        register: rhel_08_020103_pwquality_status

      - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Set if no pw required pam_pwquality"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/password-auth
            regexp: '^password\s+(required|requisite)\s+pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}'
            line: 'password   requisite pam_pwquality.so retry={{ rhel8stig_pam_pwquality_retry }}'
            insertafter: '^password'
            owner: root
            group: root
            mode: "{{ rhel8stig_pamd_file_perms }}"
        when: rhel_08_020103_pwquality_status.stdout | length == 0

      - name: "MEDIUM | RHEL-08-020103 | PATCH | RHEL 8 systems below version 8.4 must ensure the password complexity module in the password-auth file is configured for three retries or less. | Replace if already exists"
        community.general.pamd:
            name: password-auth
            type: password
            control: requisite
            module_path: pam_pwquality.so
            module_arguments: 'retry={{ rhel8stig_pam_pwquality_retry }}'
            state: args_present
        when: rhel_08_020103_pwquality_status.stdout | length > 0
  when:
      - rhel_08_020103
      - ansible_distribution_version is version('8.3', '<=')
  tags:
      - RHEL-08-020103
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251715r902746_rule
      - V-251715
      - pamd

- name: "MEDIUM | RHEL-08-020104 | PATCH | RHEL 8 systems, version 8.4 and above, must ensure the password complexity module is configured for three retries or less."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^retry =|^#.*retry ='
      line: retry = {{ rhel8stig_pam_pwquality_retry }}
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020104
      - ansible_distribution_version is version('8.4', '>=')
  tags:
      - RHEL-08-020104
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251716r858737_rule
      - V-251716
      - pamd

- name: "MEDIUM | RHEL-08-020110 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one upper-case character be used."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*ucredit'
      line: "ucredit = {{ rhel8stig_password_complexity.ucredit | default('-1') }}"
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
      create: true
  when:
      - rhel_08_020110
  tags:
      - RHEL-08-020110
      - CAT2
      - CCI-000192
      - SRG-OS-000069-GPOS-00037
      - SV-230357r858771_rule
      - V-230357
      - pwquality

- name: "MEDIUM | RHEL-08-020120 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one lower-case character be used."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*lcredit'
      line: "lcredit = {{ rhel8stig_password_complexity.lcredit | default('-1') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020120
  tags:
      - RHEL-08-020120
      - CAT2
      - CCI-00019
      - SRG-OS-000070-GPOS-00038
      - SV-230358r858773_rule
      - V-230358
      - pwquality

- name: "MEDIUM | RHEL-08-020130 | PATCH | RHEL 8 must enforce password complexity by requiring that at least one numeric character be used."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*dcredit'
      line: "dcredit = {{ rhel8stig_password_complexity.dcredit | default('-1') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020130
  tags:
      - RHEL-08-020130
      - CAT2
      - CCI-000194
      - SRG-OS-000071-GPOS-00039
      - SV-230359r858775_rule
      - V-230359
      - pwquality

- name: "MEDIUM | RHEL-08-020140 | PATCH | RHEL 8 must require the maximum number of repeating characters of the same character class be limited to four when passwords are changed."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*maxclassrepeat'
      line: "maxclassrepeat = {{ rhel8stig_password_complexity.maxclassrepeat | default('4') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020140
  tags:
      - RHEL-08-020140
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-230360r858777_rule
      - V-230360
      - pwquality

- name: "MEDIUM | RHEL-08-20150 | PATCH | RHEL 8 must require the maximum number of repeating characters be limited to three when passwords are changed."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*maxrepeat'
      line: "maxrepeat = {{ rhel8stig_password_complexity.maxrepeat | default('3') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020150
  tags:
      - RHEL-08-020150
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-230361r858779_rule
      - V-230361
      - pwquality

- name: "MEDIUM | RHEL-08-020160 | PATCH | RHEL 8 must require the change of at least four character classes when passwords are changed."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*minclass'
      line: "minclass = {{ rhel8stig_password_complexity.minclass | default('4') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020160
  tags:
      - RHEL-08-020160
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-230362r858781_rule
      - V-230362
      - pwquality

- name: "MEDIUM | RHEL-08-020170 | PATCH | RHEL 8 must require the change of at least 8 characters when passwords are changed."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*difok'
      line: "difok = {{ rhel8stig_password_complexity.difok | default('8') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020170
  tags:
      - RHEL-08-020170
      - CAT2
      - CCI-000195
      - SRG-OS-000072-GPOS-00040
      - SV-230363r858783_rule
      - V-230363
      - pwquality

- name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow."
  block:
      - name: "MEDIUM | RHEL8-08-020180 | AUDIT | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Get list of users"
        ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $4 < 1 {print $1}' /etc/shadow"
        changed_when: false
        failed_when: false
        register: rhel_08_020180_users

      - name: "MEDIUM | RHEL8-08-020180 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/shadow. | Change user restriction"
        ansible.builtin.shell: chage -m 1 {{ item }}
        with_items: "{{ rhel_08_020180_users.stdout_lines }}"
  when:
      - rhel_08_020180
  tags:
      - RHEL8-08-020180
      - CAT2
      - CCI-000198
      - SRG-OS-000075-GPOS-00043
      - SV-230364r627750_rule
      - V-230364
      - password

- name: "MEDIUM | RHEL-08-020190 | PATCH | RHEL 8 passwords for new users or password changes must have a 24 hours/1 day minimum password lifetime restriction in /etc/logins.def."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^#?PASS_MIN_DAYS
      line: "PASS_MIN_DAYS {{ rhel8stig_login_defaults.pass_min_days | default('1') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_020190
  tags:
      - RHEL-08-020190
      - CAT2
      - CCI-000198
      - SRG-OS-000075-GPOS-00043
      - SV-230365r858727_rule
      - V-230365
      - login

- name: "MEDIUM | RHEL-08-020200 | PATCH | RHEL 8 user account passwords must have a 60-day maximum password lifetime restriction."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      create: true
      regexp: ^#?PASS_MAX_DAYS
      line: "PASS_MAX_DAYS {{ rhel8stig_login_defaults.pass_max_days | default('60') }}"
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_020200
  tags:
      - RHEL-08-020200
      - CAT2
      - CCI-000199
      - SRG-OS-000076-GPOS-00044
      - SV-230366r646878_rule
      - V-230366
      - login

- name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime."
  block:
      - name: "MEDIUM | RHEL-08-020210 | AUDIT | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Get list of users"
        ansible.builtin.shell: "awk -F: '$1 !~ /^root$/ && $2 !~ /^[!*]/ && $5 > 60 {print $1}' /etc/shadow"
        check_mode: false
        changed_when: rhel_08_020210_users.stdout | length > 0
        register: rhel_08_020210_users

      - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Reset password timeout to prevent locking out user."
        ansible.builtin.shell: chage -d '-1 day' {{ item }}
        check_mode: "{{ rhel8stig_disruptive_check_mode }}"
        with_items: "{{ rhel_08_020210_users.stdout_lines }}"

      - name: "MEDIUM | RHEL-08-020210 | PATCH | RHEL 8 user account passwords must be configured so that existing passwords are restricted to a 60-day maximum lifetime. | Set 60 max lifetime"
        ansible.builtin.shell: chage -M 60 {{ item }}
        check_mode: "{{ rhel8stig_disruptive_check_mode }}"
        with_items: "{{ rhel_08_020210_users.stdout_lines }}"
  when:
      - rhel_08_020210
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-020210
      - CAT2
      - CCI-000199
      - SRG-OS-000076-GPOS-00044
      - SV-230367r627750_rule
      - V-230367
      - disruption-high
      - password

- name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations."
  block:
      - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory status"
        ansible.builtin.shell: cat /etc/pam.d/password-auth | grep "password.*requisite.*pam_pwhistory.so"
        changed_when: false
        failed_when: false
        register: rhel_08_020220_pwhistory_status

      - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pw_history"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/password-auth
            regexp: 'password\s+(required|requisite)\s+pam_pwhistory.so use_authtok remember='
            line: "password    requisite pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}"
            insertafter: '^password'
            owner: root
            group: root
            mode: "{{ rhel8stig_pamd_file_perms }}"
        when: rhel_08_020220_pwhistory_status.stdout | length == 0

      - name: "MEDIUM | RHEL-08-020220 | RHEL 8 must be configured in the password-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists"
        community.general.pamd:
            name: password-auth
            type: password
            control: requisite
            module_path: pam_pwhistory.so
            module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}'
            state: args_present
        when: rhel_08_020220_pwhistory_status.stdout | length > 0
  when:
      - rhel_08_020220
  tags:
      - RHEL-08-020220
      - CAT2
      - CCI-000200
      - SRG-OS-000077-GPOS-00045
      - SV-230368r902759_rule
      - V-230368
      - pamd

- name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations."
  block:
      - name: "MEDIUM | RHEL-08-020221 | AUDIT | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Get pam_pwhistory state "
        ansible.builtin.shell: cat /etc/pam.d/system-auth | grep "password.*requisite.*pam_pwhistory.so"
        changed_when: false
        failed_when: false
        register: rhel_08_020221_pwhistory_status

      - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if no pw required pwhistory"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            regexp: 'password\s+(required|requisite)\s+pam_pwhistory.so use_authtok remember='
            line: "password    requisite pam_pwhistory.so use_authtok remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}"
            insertafter: '^password'
            owner: root
            group: root
            mode: "{{ rhel8stig_pamd_file_perms }}"
        when: rhel_08_020221_pwhistory_status.stdout | length == 0

      - name: "MEDIUM | RHEL-08-020221 | PATCH | RHEL 8 must be configured in the system-auth file to prohibit password reuse for a minimum of five generations. | Set if pw required pwhistory exists"
        community.general.pamd:
            name: system-auth
            type: password
            control: requisite
            module_path: pam_pwhistory.so
            module_arguments: 'remember={{ rhel8stig_pam_pwhistory.remember | default(5) }}'
            state: args_present
        when: rhel_08_020221_pwhistory_status.stdout | length > 0
  when:
      - rhel_08_020221
  tags:
      - RHEL-08-020221
      - CAT2
      - CCI-000200
      - SRG-OS-000077-GPOS-00045
      - SV-251717r902749_rule
      - V-251717
      - pamd

- name: "MEDIUM | RHEL-08-20230 | PATCH | RHEL 8 passwords must have a minimum of 15 characters."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*minlen'
      line: "minlen = {{ rhel8stig_password_complexity.minlen | default('15') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020230
  tags:
      - RHEL-08-020230
      - CAT2
      - CCI-000205
      - SRG-OS-000078-GPOS-00046
      - SV-230369r858785_rule
      - V-230369
      - pwquality

- name: "MEDIUM | RHEL-08-020231 | PATCH | RHEL 8 passwords for new users must have a minimum of 15 characters."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: '^PASS_MIN_LEN|^#PASS_MIN_LEN'
      line: "PASS_MIN_LEN 15"
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_020231
  tags:
      - RHEL-08-020231
      - CAT2
      - CCI-000205
      - SRG-OS-000078-GPOS-00046
      - SV-230370r627750_rule
      - V-230370
      - passwords

- name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users."
  block:
      - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Get duplicate UID users"
        ansible.builtin.shell: awk -F ":" 'list[$3]++{print $1, $3}' /etc/passwd
        changed_when: false
        failed_when: false
        register: rhel_08_020240_duplicate_uid_users

      - name: "MEDIUM | RHEL-08-020240 | AUDIT | RHEL 8 duplicate User IDs (UIDs) must not exist for interactive users. | Message out duplicate users"
        ansible.builtin.debug:
            msg:
                - "WARNING!! Below are a list of users with duplicate UID's. Please review and create a unique ID for each user"
                - "{{ rhel_08_020240_duplicate_uid_users.stdout_lines }}"
  when:
      - rhel_08_020240
  tags:
      - RHEL-08-020240
      - CAT2
      - CCI-000764
      - SRG-OS-000104-GPOS-00051
      - SV-230371r627750_rule
      - V-230371
      - user

- name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts."
  block:
      - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in smartcard-auth"
        ansible.builtin.shell: grep 'auth       sufficient pam_sss.so' /etc/pam.d/smartcard-auth
        changed_when: false
        failed_when: false
        register: rhel_08_020250_sc_auth_sss

      - name: "MEDIUM | RHEL-08-020250 | AUDIT | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Find pam_sss.so in system-auth"
        ansible.builtin.shell: grep 'auth       [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so' /etc/pam.d/system-auth
        changed_when: false
        failed_when: false
        register: rhel_08_020250_system_auth_sss

      - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_cert_aut in sssd.conf"
        ansible.builtin.lineinfile:
            path: "{{ rhel8stig_sssd_conf }}"
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            insertafter: "{{ item.insertafter }}"
            owner: root
            group: root
            mode: 'u-x,go-rwx'
        notify: restart sssd
        with_items:
            - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
            - { regexp: '^pam_cert_auth =', insertafter: '\[pam\]', line: 'pam_cert_auth = True' }

      - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in smartcard-auth"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/smartcard-auth
            line: auth       sufficient pam_sss.so try_cert_auth
            owner: root
            group: root
            mode: 'u-x,go-wx'
        notify: restart sssd
        when: rhel_08_020250_sc_auth_sss.stdout | length == 0

      - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in smartcard-auth"
        community.general.pamd:
            name: /etc/pam.d/smartcard-auth
            state: updated
            type: auth
            control: sufficient
            module_path: pam_sss.so
            module_arguments: 'try_cert_auth'
        notify: restart sssd
        when: rhel_08_020250_sc_auth_sss.stdout | length > 0

      - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if doesn't exist in system-auth"
        community.general.pamd:
            name: /etc/pam.d/system-auth
            state: after
            type: auth
            control: required
            module_path: pam_env.so
            new_type: auth
            new_control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]'
            new_module_path: pam_sss.so
            module_arguments: try_cert_auth
        notify: restart sssd
        when: rhel_08_020250_system_auth_sss.stdout | length == 0

      - name: "MEDIUM | RHEL-08-020250 | PATCH | RHEL 8 must implement smart card logon for multifactor authentication for access to interactive accounts. | Set pam_sss.so if does exist in system-auth"
        community.general.pamd:
            name: /etc/pam.d/system-auth
            state: updated
            type: auth
            control: '[success=done authinfo_unavail=ignore ignore=ignore default=die]'
            module_path: pam_env.so
            module_arguments: try_cert_auth
        notify: restart sssd
        when: rhel_08_020250_system_auth_sss.stdout | length > 0
  when:
      - rhel_08_020250
      - rhel8stig_sssd_conf_present.stat.exists
  tags:
      - RHEL-08-020250
      - CAT2
      - CCI-000765
      - SRG-OS-000105-GPOS-00052
      - SV-230372r942945_rule
      - V-230372
      - pamd

- name: "MEDIUM | RHEL-08-20260 | PATCH | RHEL 8 account identifiers (individuals, groups, roles, and devices) must disabled after 35 days of inactivity."
  ansible.builtin.shell: useradd -D -f 35
  when:
      - rhel_08_020260
  tags:
      - RHEL-08-020260
      - CAT2
      - CCI-000795
      - SRG-OS-000118-GPOS-00060
      - SV-230373r627750_rule
      - V-230373
      - useradd

- name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours."
  block:
      - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours."
        ansible.builtin.shell: "awk -F: '{if ($3 <= {{ rhel8stig_interactive_uid_start }}) { print $1 }}' /etc/passwd"
        changed_when: false
        failed_when: false
        register: rhel_08_020270_system_users

      - name: "MEDIUM | RHEL-08-020270 | AUDIT | RHEL 8 must automatically expire temporary accounts within 72 hours."
        ansible.builtin.debug:
            msg:
                - "WARNING!! Below are the system accounts. If any where emergency accounts plese make sure they are removed or disabled after the crisis is resovled or within 72 hours"
                - "{{ rhel_08_020270_system_users.stdout_lines }}"
  when:
      - rhel_08_020270
  tags:
      - RHEL-08-020270
      - CAT2
      - CCI-001682
      - SRG-OS-000123-GPOS-00064
      - SV-230374r903129_rule
      - V-230374
      - user

- name: "MEDIUM | RHEL-08-020280 | PATCH | All RHEL 8 passwords must contain at least one special character."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*ocredit'
      line: "ocredit = {{ rhel8stig_password_complexity.ocredit | default('-1') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020280
  tags:
      - RHEL-08-020280
      - CAT2
      - CCI-001619
      - SRG-OS-000266-GPOS-00101
      - SV-230375r858787_rule
      - V-230375
      - pwquality

- name: "MEDIUM | RHEL-08-020290 | PATCH | The RHEL 8 must prohibit the use of cached authentications after one day."
  ansible.builtin.lineinfile:
      path: "{{ rhel8stig_sssd_conf }}"
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      insertafter: "{{ item.insertafter }}"
      owner: root
      group: root
      mode: 'u-x,go-rwx'
  with_items:
      - { regexp: '^\[pam\]', insertafter: 'EOF', line: '[pam]' }
      - { regexp: '^offline_credentials_expiration =', insertafter: '\[pam\]', line: 'offline_credentials_expiration = 1' }
  when:
      - rhel_08_020290
      - rhel8stig_sssd_conf_present.stat.exists
  tags:
      - RHEL-08-020290
      - CAT2
      - CCI-002007
      - SRG-OS-000383-GPOS-00166
      - SV-230376r942948_rule
      - V-230376
      - sssd

- name: "MEDIUM | RHEL-08-020300 | PATCH | RHEL 8 must prevent the use of dictionary words for passwords."
  ansible.builtin.lineinfile:
      path: /etc/security/pwquality.conf
      regexp: '^#?\s*dictcheck'
      line: "dictcheck = {{ rhel8stig_password_complexity.dictcheck | default('1') }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_pwquality_file_perms }}"
  when:
      - rhel_08_020300
  tags:
      - RHEL-08-020300
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00225
      - SV-230377r858789_rule
      - V-230377
      - pwquality

- name: "MEDIUM | RHEL-08-020310 | PATCH | RHEL 8 must enforce a delay of at least four seconds between logon prompts following a failed logon attempt."
  ansible.builtin.lineinfile:
      dest: /etc/login.defs
      regexp: ^#?FAIL_DELAY
      line: "FAIL_DELAY {{ rhel8stig_login_defaults.fail_delay_secs | default('4') }}"
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_020310
  tags:
      - RHEL-08-020310
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00226
      - SV-230378r627750_rule
      - V-230378
      - login

- name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts."
  block:
      - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Find unnecessary accounts"
        ansible.builtin.shell: "grep '^{{ item }}:' /etc/passwd"
        check_mode: false
        failed_when: rhel_08_020320_unnecessary_accounts_found.rc > 1
        changed_when: rhel_08_020320_unnecessary_accounts_found.rc == 0
        register: rhel_08_020320_unnecessary_accounts_found
        with_items: "{{ rhel8stig_unnecessary_accounts }}"

      - name: "MEDIUM | RHEL-08-020320 | PATCH | RHEL 8 must not have unnecessary accounts. | Remove accounts"
        ansible.builtin.user:
            name: "{{ item }}"
            state: absent
            remove: "{{ rhel8stig_remove_unnecessary_user_files }}"
        register: rhel_08_020320_accounts_removed
        with_items: "{{ rhel8stig_unnecessary_accounts }}"

      - name: "MEDIUM | RHEL-08-020320 | AUDIT | RHEL 8 must not have unnecessary accounts. | Re-parse passwd file"
        ansible.builtin.include_tasks: parse_etc_passwd.yml
        vars:
            rhel8stig_passwd_tasks: "RHEL-08-020320"  # pragma: allowlist secret
        when: rhel_08_020320_accounts_removed is changed  # noqa no-handler
  when:
      - rhel_08_020320
  tags:
      - RHEL-08-020320
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230379r627750_rule
      - V-230379
      - accounts

- name: "MEDIUM | RHEL-08-020350 | PATCH | RHEL 8 must display the date and time of the last successful account logon upon an SSH logon."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^(#PrintLastLog yes?|^#?.rintLastLog no)'
      line: 'PrintLastLog yes'
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_08_020350
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-020350
      - CAT2
      - CCI-000052
      - SRG-OS-000480-GPOS-00227
      - SV-230382r951614_rule
      - V-230382
      - ssh

- name: "MEDIUM | RHEL-08-020351 | PATCH |  RHEL 8 must define default permissions for all authenticated users in such a way that the user can only read and modify their own files."
  ansible.builtin.lineinfile:
      path: /etc/login.defs
      regexp: ^#?UMASK.*
      line: "UMASK           {{ rhel8stig_login_defaults.umask | default('077') }}"
      owner: root
      group: root
      mode: "{{ rhel8stig_login_defs_file_perms }}"
  when:
      - rhel_08_020351
  tags:
      - RHEL-08-020351
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00228
      - SV-230383r627750_rule
      - V-230383
      - login
      - umask

- name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts."
  block:
      - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Find umask files"
        ansible.builtin.find:
            paths: "{{ item }}"
            patterns: '^\.'
            contains: 'umask'
            recurse: true
            hidden: true
            use_regex: true
        register: rhel8stig_020352_file
        loop: "{{ discovered_interactive_users_home.stdout_lines }}"

      - name: "MEDIUM | RHEL-08-020352 | PATCH | RHEL 8 must set the umask value to 077 for all local interactive user accounts. | Remove umask param"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: "umask\\s+(?!{{ rhel8stig_login_defaults.umask | default('077') }})"
            state: absent
        loop: "{{ rhel8stig_020352_file.stdout_lines }}"
        when:
            - rhel8stig_020352_file.stdout_lines is defined
  when:
      - rhel_08_020352
  tags:
      - RHEL-08-020352
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00228
      - SV-230384r858732_rule
      - V-230384
      - umask

- name: "MEDIUM | RHEL-08-020353 | PATCH | RHEL 8 must define default permissions for logon and non-logon shells."
  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: 'umask\s\d\d\d'
      replace: "umask {{ rhel8stig_login_defaults.umask | default('077') }}"
  with_items:
      - /etc/bashrc
      - /etc/csh.cshrc
      - /etc/profile
  when:
      - rhel_08_020353
  tags:
      - RHEL-08-020353
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230385r792902_rule
      - V-230385
      - umask

- name: "MEDIUM | RHEL-08-030000 | PATCH | The RHEL 8 audit system must be configured to audit the execution of privileged functions and prevent all software from executing at higher privilege levels than users executing the software."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030000
  tags:
      - RHEL-08-030000
      - CAT2
      - CCI-002233
      - SRG-OS-000326-GPOS-00126
      - SV-230386r627750_rule
      - V-230386
      - auditd

- name: "MEDIUM | RHEL-08-030010 | PATCH | Cron logging must be implemented in RHEL 8."
  ansible.builtin.lineinfile:
      path: /etc/rsyslog.conf
      regexp: '^cron.*'
      line: 'cron.*                                                  /var/log/cron'
  when:
      - rhel_08_030010
  tags:
      - RHEL-08-030010
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230387r743996_rule
      - V-230387
      - cron
      - rsyslog

- name: "MEDIUM | RHEL-08-030020 | PATCH | The RHEL 8 System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) must be alerted of an audit processing failure event."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^action_mail_acct ='
      line: "action_mail_acct = {{ rhel8stig_auditd_mail_acct }}"
  register: rhel_08_030020_action_mail_acct_result
  failed_when:
      - rhel_08_030020_action_mail_acct_result is failed
      - rhel_08_030020_action_mail_acct_result.rc != 257
  when:
      - rhel_08_030020
  tags:
      - RHEL-08-030020
      - CAT2
      - CCI-000139
      - SRG-OS-000046-GPOS-00022
      - SV-230388r627750_rule
      - V-230388
      - auditd

- name: "MEDIUM | RHEL-08-030030 | PATCH | The RHEL 8 Information System Security Officer (ISSO) and System Administrator (SA) (at a minimum) must have mail aliases to be notified of an audit processing failure."
  ansible.builtin.lineinfile:
      path: /etc/aliases
      regexp: '^postmaster:'
      line: 'postmaster:     root'
  when:
      - rhel_08_030030
  tags:
      - RHEL-08-030030
      - CAT2
      - CCI-000139
      - SRG-OS-000046-GPOS-00022
      - SV-230389r627750_rule
      - V-230389
      - aliases

- name: "MEDIUM | RHEL-08-030040 | PATCH | The RHEL 8 System must take appropriate action when an audit processing failure occurs."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^disk_error_action ='
      line: "disk_error_action = {{ rhel8stig_auditd_disk_error_action }}"
  when:
      - rhel_08_030040
  tags:
      - RHEL-08-030040
      - CAT2
      - CCI-000140
      - SRG-OS-000047-GPOS-00023
      - SV-230390r627750_rule
      - V-230390
      - auditd

- name: "MEDIUM | RHEL-08-030060 | PATCH | The RHEL 8 audit system must take appropriate action when the audit storage volume is full."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^disk_full_action ='
      line: "disk_full_action = {{ rhel8stig_auditd_disk_full_action }}"
  when:
      - rhel_08_030060
  tags:
      - RHEL-08-030060
      - CAT2
      - CCI-000140
      - SRG-OS-000047-GPOS-00023
      - SV-230392r627750_rule
      - V-230392
      - auditd

- name: "MEDIUM | RHEL-08-030061 | PATCH | The RHEL 8 audit system must audit local events."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^local_events ='
      line: "local_events = yes"
  when:
      - rhel_08_030061
  tags:
      - RHEL-08-030061
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230393r627750_rule
      - V-230393
      - auditd

- name: "MEDIUM | RHEL-08-030062 | PATCH | RHEL 8 must label all off-loaded audit logs before sending them to the central log server."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^name_format ='
      line: "name_format = hostname"
  notify: restart auditd
  when:
      - rhel_08_030062
  tags:
      - RHEL-08-030062
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-230394r627750_rule
      - V-230394
      - auditd

- name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access."
  block:
      - name: "MEDIUM | RHEL-08-030070 | AUDIT | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | logfile location"
        ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | awk '{print $NF}'
        register: rhel08_030070_auditlog_location
        changed_when: false

      - name: "MEDIUM | RHEL-08-030070 | AUDIT | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | check file exists"
        ansible.builtin.stat:
            path: "{{ rhel08_030070_auditlog_location.stdout }}"
        register: rhel08_030070_auditlog

      - name: "MEDIUM | RHEL-08-030070 | PATCH | RHEL 8 audit logs must have a mode of 0600 or less permissive to prevent unauthorized read access. | logfile location"
        ansible.builtin.file:
            path: "{{ rhel08_030070_auditlog_location.stdout }}"
            state: "{{ (rhel08_030070_auditlog.stat.exists) | ternary('file', 'touch') }}"
            mode: 'o-x,go-rwx'
  when:
      - rhel_08_030070
  tags:
      - RHEL-08-030070
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230396r902733_rule
      - V-230396
      - permissions
      - log
      - auditd

- name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access."
  block:
      - name: "MEDIUM | RHEL-08-030080 | AUDIT | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Get audit log file"
        ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" "
        changed_when: false
        failed_when: false
        register: rhel8stig_030080_audit_log_file

      - name: "MEDIUM | RHEL-08-030080 | PATCH | RHEL 8 audit logs must be owned by root to prevent unauthorized read access. | Set audit log owner"
        ansible.builtin.file:
            path: "{{ rhel8stig_030080_audit_log_file.stdout }}"
            owner: root
        when: rhel8stig_030080_audit_log_file.stdout | length > 0
  when:
      - rhel_08_030080
  tags:
      - RHEL-08-030080
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230397r627750_rule
      - V-230397
      - permissions
      - log
      - auditd

- name: "MEDIUM | RHEL-08-030090 | PATCH | RHEL 8 audit logs must be group-owned by root to prevent unauthorized read access."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^log_group'
      line: "log_group = root"
  when:
      - rhel_08_030090
  tags:
      - RHEL-08-030090
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230398r627750_rule
      - V-230398
      - permissions
      - log
      - auditd

- name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access."
  block:
      - name: "MEDIUM | RHEL-08-030100 | AUDIT | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Get audit log directory"
        ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,'
        changed_when: false
        failed_when: false
        register: rhel_08_030100_audit_log_dir

      - name: "MEDIUM | RHEL-08-030100 | PATCH | RHEL 8 audit log directory must be owned by root to prevent unauthorized read access. | Set audit log dir owner"
        ansible.builtin.file:
            path: "{{ rhel_08_030100_audit_log_dir.stdout }}"
            owner: root
            state: directory
        when: rhel_08_030100_audit_log_dir.stdout | length > 0
        tags:
            - skip_ansible_lint
  when:
      - rhel_08_030100
  tags:
      - RHEL-08-030100
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230399r627750_rule
      - V-230399
      - permissions
      - log
      - auditd

- name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access."
  block:
      - name: "MEDIUM | RHEL-08-030110 | AUDIT | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Get audit log directory"
        ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,'
        changed_when: false
        failed_when: false
        register: rhel_08_030110_audit_log_dir

      - name: "MEDIUM | RHEL-08-030110 | PATCH | RHEL 8 audit log directory must be group-owned by root to prevent unauthorized read access. | Set audit log dir group"
        ansible.builtin.file:
            path: "{{ rhel_08_030110_audit_log_dir.stdout }}"
            group: root
            state: directory
        when: rhel_08_030110_audit_log_dir.stdout | length > 0
        tags:
            - skip_ansible_lint
  when:
      - rhel_08_030110
  tags:
      - skip_ansible_lint
      - RHEL-08-030110
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230400r627750_rule
      - V-230400
      - permissions
      - log
      - auditd

- name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access."
  block:
      - name: "MEDIUM | RHEL-08-030120 | AUDIT | RHEL 8 audit log directories must have a mode of 700 or less permissive to prevent unauthorized read access. | Get audit log directory"
        ansible.builtin.shell: grep -iw log_file /etc/audit/auditd.conf | cut -f3 -d" " | sed 's,/*[^/]\+/*$,,'
        changed_when: false
        failed_when: false
        register: rhel_08_030120_audit_log_dir

      - name: "MEDIUM | RHEL-08-030120 | PATCH | RHEL 8 audit log directories must have a mode of 0700 or less permissive to prevent unauthorized read access. | Set audit log dir perms"
        ansible.builtin.file:
            path: "{{ rhel_08_030120_audit_log_dir.stdout }}"
            mode: 'go-rwx'
            state: directory
        when: rhel_08_030120_audit_log_dir.stdout | length > 0
  when:
      - rhel_08_030120
  tags:
      - RHEL-08-030120
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230401r627750_rule
      - V-230401
      - permissions
      - log
      - auditd

- name: "MEDIUM | RHEL-08-030121 | PATCH | RHEL 8 audit system must protect auditing rules from unauthorized change."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-e '
      line: "-e 2"
  when:
      - rhel_08_030121
  tags:
      - RHEL-08-030121
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230402r627750_rule
      - V-230402
      - auditd

- name: "MEDIUM | RHEL-08-030122 | PATCH | RHEL 8 audit system must protect logon UIDs from unauthorized change."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^--loginuid-'
      line: "--loginuid-immutable"
  when:
      - rhel_08_030122
  tags:
      - RHEL-08-030122
      - CAT2
      - CCI-000162
      - SRG-OS-000057-GPOS-00027
      - SV-230403r627750_rule
      - V-230403
      - auditd

- name: "MEDIUM | RHEL-08-030130 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/shadow."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/shadow'
      line: '-w /etc/shadow -p wa -k identity'
  notify: restart auditd
  when:
      - rhel_08_030130
  tags:
      - RHEL-08-030130
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230404r627750_rule
      - V-230404
      - auditd

- name: "MEDIUM | RHEL-08-030140 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/security/opasswd."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/security/opasswd'
      line: -w /etc/security/opasswd -p wa -k identity
  notify: restart auditd
  when:
      - rhel_08_030140
  tags:
      - RHEL-08-030140
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230405r627750_rule
      - V-230405
      - auditd

- name: "MEDIUM | RHEL-08-030150 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/passwd."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/passwd'
      line: -w /etc/passwd -p wa -k identity
  notify: restart auditd
  when:
      - rhel_08_030150
  tags:
      - RHEL-08-030150
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230406r627750_rule
      - V-230406
      - auditd

- name: "MEDIUM | RHEL-08-030160 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/gshadow."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/gshadow'
      line: -w /etc/gshadow -p wa -k identity
  notify: restart auditd
  when:
      - rhel_08_030160
  tags:
      - RHEL-08-030160
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230407r627750_rule
      - V-230407
      - auditd

- name: "MEDIUM | RHEL-08-030170 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/group."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/group'
      line: -w /etc/group -p wa -k identity
  notify: restart auditd
  when:
      - rhel_08_030170
  tags:
      - RHEL-08-030170
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230408r627750_rule
      - V-230408
      - auditd

- name: "MEDIUM | RHEL-08-030171 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/sudoers '
      line: -w /etc/sudoers -p wa -k identity
  notify: restart auditd
  when:
      - rhel_08_030171
  tags:
      - RHEL-08-030171
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230409r627750_rule
      - V-230409
      - auditd

- name: "MEDIUM | RHEL-08-030172 | PATCH | RHEL 8 must generate audit records for all account creations, modifications, disabling, and termination events that affect /etc/sudoers.d/."
  ansible.builtin.lineinfile:
      path: /etc/audit/rules.d/audit.rules
      regexp: '^-w /etc/sudoers.d/'
      line: -w /etc/sudoers.d/ -p wa -k identity
  notify: restart auditd
  when:
      - rhel_08_030172
  tags:
      - RHEL-08-030172
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230410r627750_rule
      - V-230410
      - auditd

- name: "MEDIUM | RHEL-08-030180 | PATCH | The RHEL 8 audit package must be installed."
  ansible.builtin.package:
      name: audit
      state: present
  when:
      - rhel_08_030180
  tags:
      - rhel_08_030180
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230411r744000_rule
      - V-230411
      - dnf
      - auditd

- name: "MEDIUM | RHEL-08-030181 | PATCH | RHEL 8 audit records must contain information to establish what type of events occurred, the source of events, where events occurred, and the outcome of events."
  ansible.builtin.service:
      name: auditd
      enabled: true
  notify: restart auditd
  when:
      - rhel_08_030181
  tags:
      - RHEL-08-030181
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-244542r818838_rule
      - V-244542
      - auditd

- name: "MEDIUM | RHEL-08-030190 | PATCH | Successful/unsuccessful uses of the su command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030190
  tags:
      - RHEL-08-030190
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230412r627750_rule
      - V-230412
      - auditd

- name: "MEDIUM | RHEL-08-030200 | PATCH | The RHEL 8 audit system must be configured to audit any usage of the lremovexattr system call."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030200
  tags:
      - RHEL-08-030200
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230413r810463_rule
      - V-230413
      - auditd

- name: "MEDIUM | RHEL-08-030250 | PATCH | Successful/unsuccessful uses of the chage command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030250
  tags:
      - RHEL-08-030250
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230418r627750_rule
      - V-230418
      - auditd

- name: "MEDIUM | RHEL-08-030260 | PATCH | Successful/unsuccessful uses of the chcon command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030260
  tags:
      - RHEL-08-030260
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230419r627750_rule
      - V-230419
      - auditd

- name: "MEDIUM | RHEL-08-030280 | PATCH | Successful/unsuccessful uses of the ssh-agent in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030280
  tags:
      - RHEL-08-030280
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230421r627750_rule
      - V-230421
      - auditd

- name: "MEDIUM | RHEL-08-030290 | PATCH | Successful/unsuccessful uses of the passwd command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030290
  tags:
      - RHEL-08-030290
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230422r627750_rule
      - V-230422
      - auditd

- name: "MEDIUM | RHEL-08-030300 | PATCH | Successful/unsuccessful uses of the mount command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030300
  tags:
      - RHEL-08-030300
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230423r627750_rule
      - V-230423
      - auditd

- name: "MEDIUM | RHEL-08-030301 | PATCH | Successful/unsuccessful uses of the umount command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030301
  tags:
      - RHEL-08-030301
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230424r627750_rule
      - V-230424
      - auditd

- name: "MEDIUM | RHEL-08-030302 | PATCH | Successful/unsuccessful uses of the mount syscall in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030302
  tags:
      - RHEL-08-030302
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230425r627750_rule
      - V-230425
      - auditd

- name: "MEDIUM | RHEL-08-030310 | PATCH | Successful/unsuccessful uses of the unix_update in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030310
  tags:
      - RHEL-08-030310
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230426r627750_rule
      - V-230426
      - auditd

- name: "MEDIUM | RHEL-08-030311 | PATCH | Successful/unsuccessful uses of postdrop in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030311
  tags:
      - RHEL-08-030311
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230427r627750_rule
      - V-230427
      - auditd

- name: "MEDIUM | RHEL-08-030312 | PATCH | Successful/unsuccessful uses of postqueue in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030312
  tags:
      - RHEL-08-030312
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230428r627750_rule
      - V-230428
      - auditd

- name: "MEDIUM | RHEL-08-030313 | PATCH | Successful/unsuccessful uses of semanage in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030313
  tags:
      - RHEL-08-030313
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230429r627750_rule
      - V-230429
      - auditd

- name: "MEDIUM | RHEL-08-030314 | PATCH | Successful/unsuccessful uses of setfiles in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030314
  tags:
      - RHEL-08-030314
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230430r627750_rule
      - V-230430
      - auditd

- name: "MEDIUM | RHEL-08-030315 | PATCH | Successful/unsuccessful uses of userhelper in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030315
  tags:
      - RHEL-08-030315
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230431r627750_rule
      - V-230431
      - auditd

- name: "MEDIUM | RHEL-08-030316 | PATCH | Successful/unsuccessful uses of setsebool in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030316
  tags:
      - RHEL-08-030316
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230432r627750_rule
      - V-230432
      - auditd

- name: "MEDIUM | RHEL-08-030317 | PATCH | Successful/unsuccessful uses of unix_chkpwd in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030317
  tags:
      - RHEL-08-030317
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230433r627750_rule
      - V-230433
      - auditd

- name: "MEDIUM | RHEL-08-030320 | PATCH | Successful/unsuccessful uses of the ssh-keysign in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030320
  tags:
      - RHEL-08-030320
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230434r744002_rule
      - V-230434
      - auditd

- name: "MEDIUM | RHEL-08-030330 | PATCH | Successful/unsuccessful uses of the setfacl command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030330
  tags:
      - RHEL-08-030330
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230435r627750_rule
      - V-230435
      - auditd

- name: "MEDIUM | RHEL-08-030340 | PATCH | Successful/unsuccessful uses of the pam_timestamp_check command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030340
  tags:
      - RHEL-08-030340
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230436r627750_rule
      - V-230436
      - auditd

- name: "MEDIUM | RHEL-08-030350 | PATCH | Successful/unsuccessful uses of the newgrp command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030350
  tags:
      - RHEL-08-030350
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230437r627750_rule
      - V-230437
      - auditd

- name: "MEDIUM | RHEL-08-030360 | PATCH | Successful/unsuccessful uses of the init_module command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030360
  tags:
      - RHEL-08-030360
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230438r810464_rule
      - V-230438
      - auditd

- name: "MEDIUM | RHEL-08-030361 | PATCH | Successful/unsuccessful uses of the rename command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030361
  tags:
      - RHEL-08-030361
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230439r810465_rule
      - V-230439
      - auditd

- name: "MEDIUM | RHEL-08-030370 | PATCH | Successful/unsuccessful uses of the gpasswd command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030370
  tags:
      - RHEL-08-030370
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230444r627750_rule
      - V-230444
      - auditd

- name: "MEDIUM | RHEL-08-030390 | PATCH | Successful/unsuccessful uses of the delete_module command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030390
  tags:
      - RHEL-08-030390
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230446r627750_rule
      - V-230446
      - auditd

- name: "MEDIUM | RHEL-08-030400 | PATCH | Successful/unsuccessful uses of the crontab command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030400
  tags:
      - RHEL-08-030400
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230447r627750_rule
      - V-230447
      - auditd

- name: "MEDIUM | RHEL-08-030410 | PATCH | Successful/unsuccessful uses of the chsh command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030410
  tags:
      - RHEL-08-030410
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230448r627750_rule
      - V-230448
      - auditd

- name: "MEDIUM | RHEL-08-030420 | PATCH | Successful/unsuccessful uses of the truncate command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030420
  tags:
      - RHEL-08-030420
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230449r810455_rule
      - V-230449
      - auditd

- name: "MEDIUM | RHEL-08-030480 | PATCH | Successful/unsuccessful uses of the chown command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030480
  tags:
      - RHEL-08-030480
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230455r810459_rule
      - V-230455
      - auditd

- name: "MEDIUM | RHEL-08-030490 | PATCH | Successful/unsuccessful uses of the chmod command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030490
  tags:
      - RHEL-08-030490
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230456r810462_rule
      - V-230456
      - auditd

- name: "MEDIUM | RHEL-08-030550 | PATCH | Successful/unsuccessful uses of the sudo command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030550
  tags:
      - RHEL-08-030550
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230462r627750_rule
      - V-230462
      - auditd

- name: "MEDIUM | RHEL-08-030560 | PATCH | Successful/unsuccessful uses of the usermod command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030560
  tags:
      - RHEL-08-030560
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230463r627750_rule
      - V-230463
      - auditd

- name: "MEDIUM | RHEL-08-030570 | PATCH | Successful/unsuccessful uses of the chacl command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030570
  tags:
      - RHEL-08-030570
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230464r627750_rule
      - V-230464
      - auditd

- name: "MEDIUM | RHEL-08-030580 | PATCH | Successful/unsuccessful uses of the kmod command in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030580
  tags:
      - RHEL-08-030580
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230465r627750_rule
      - V-230465
      - auditd

- name: "MEDIUM | RHEL-08-030590 | PATCH | Successful/unsuccessful modifications to the faillock log file in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030590
  tags:
      - RHEL-08-030590
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230466r627750_rule
      - V-230466
      - auditd

- name: "MEDIUM | RHEL-08-030600 | PATCH | Successful/unsuccessful modifications to the lastlog file in RHEL 8 must generate an audit record."
  ansible.builtin.debug:
      msg: "Control being set via Handler 'update auditd' which writes to /etc/audit.d/99_auditd.rules"
  changed_when: true
  notify: update auditd
  when:
      - rhel_08_030600
  tags:
      - RHEL-08-030600
      - CAT2
      - CCI-000169
      - SRG-OS-000062-GPOS-00031
      - SV-230467r627750_rule
      - V-230467
      - auditd

- name: "MEDIUM | RHEL-08-030610 | PATCH | RHEL 8 must allow only the Information System Security Manager (ISSM) (or individuals or roles appointed by the ISSM) to select which auditable events are to be audited."
  ansible.builtin.file:
      path: "{{ item }}"
      mode: 'u-x,g-wx,o-rwx'
  with_items:
      - /etc/audit/rules.d/audit.rules
      - /etc/audit/auditd.conf
  when:
      - rhel_08_030610
  tags:
      - RHEL-08-030610
      - CAT2
      - CCI-000171
      - SRG-OS-000063-GPOS-00032
      - SV-230471r627750_rule
      - V-230471
      - permissions
      - auditd

- name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive."
  block:
      - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Find toosl with less than 755 perms"
        ansible.builtin.shell: stat -c "%a %n" /sbin/auditctl /sbin/aureport /sbin/ausearch /sbin/autrace /sbin/auditd /sbin/audisp-remote /sbin/audisp-syslog /sbin/augenrules | cut -f2 -d" "
        changed_when: false
        failed_when: false
        register: rhel_08_030620_tools

      - name: "MEDIUM | RHEL-08-030620 | PATCH | RHEL 8 audit tools must have a mode of 0755 or less permissive. | Set permissions to 755 on tools"
        ansible.builtin.file:
            path: "{{ item }}"
            mode: 'go-w'
        with_items:
            - "{{ rhel_08_030620_tools.stdout_lines }}"
  when:
      - rhel_08_030620
  tags:
      - RHEL-08-030620
      - CAT2
      - CCI-001493
      - SRG-OS-000256-GPOS-00097
      - SV-230472r627750_rule
      - V-230472
      - permissions
      - auditd

- name: "MEDIUM | RHEL-08-030630 | PATCH | RHEL 8 audit tools must be owned by root."
  ansible.builtin.file:
      path: "{{ item }}"
      owner: root
  with_items:
      - /sbin/auditctl
      - /sbin/aureport
      - /sbin/ausearch
      - /sbin/autrace
      - /sbin/auditd
      - /sbin/audisp-remote
      - /sbin/audisp-syslog
      - /sbin/augenrules
  when:
      - rhel_08_030630
  tags:
      - RHEL-08-030630
      - CAT2
      - CCI-001493
      - SRG-OS-000256-GPOS-00097
      - SV-230473r744008_rule
      - V-230473
      - permissions
      - auditd

- name: "MEDIUM | RHEL-08-030640 | PATCH | RHEL 8 audit tools must be group-owned by root."
  ansible.builtin.file:
      path: "{{ item }}"
      owner: root
  with_items:
      - /sbin/auditctl
      - /sbin/aureport
      - /sbin/ausearch
      - /sbin/autrace
      - /sbin/auditd
      - /sbin/audisp-remote
      - /sbin/audisp-syslog
      - /sbin/augenrules
  when:
      - rhel_08_030640
  tags:
      - RHEL-08-030640
      - CAT2
      - CCI-00149
      - SRG-OS-000256-GPOS-00097
      - SV-230474r627750_rule
      - V-230474
      - permissions
      - auditd

- name: "MEDIUM | RHEL-08-030650 | PATCH | RHEL 8 must use cryptographic mechanisms to protect the integrity of audit tools."
  ansible.builtin.lineinfile:
      path: /etc/aide.conf
      line: "{{ item }}"
      owner: root
      group: root
      mode: 'u-x,go-rwx'
  with_items:
      - "# Audit Tools"
      - /usr/sbin/auditctl p+i+n+u+g+s+b+acl+xattrs+sha512
      - /usr/sbin/auditd p+i+n+u+g+s+b+acl+xattrs+sha512
      - /usr/sbin/ausearch p+i+n+u+g+s+b+acl+xattrs+sha512
      - /usr/sbin/aureport p+i+n+u+g+s+b+acl+xattrs+sha512
      - /usr/sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
      - /usr/sbin/rsyslogd p+i+n+u+g+s+b+acl+xattrs+sha512
      - /usr/sbin/augenrules p+i+n+u+g+s+b+acl+xattrs+sha512
  when:
      - rhel_08_030650
  tags:
      - RHEL-08-030650
      - CAT2
      - CCI-001496
      - SRG-OS-000278-GPOS-00108
      - SV-230475r880722_rule
      - V-230475
      - aide

- name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility."
  block:
      - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get audit log partition"
        ansible.builtin.shell: grep log_file /etc/audit/auditd.conf | grep -v max | awk '{print $3}' | sed 's|\(.*\)/.*|\1|'
        changed_when: false
        failed_when: false
        register: rhel_08_030660_audit_log_path

      - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Get size of audit log partition"
        ansible.builtin.shell: "df -h {{ rhel_08_030660_audit_log_path.stdout }}"
        changed_when: false
        failed_when: false
        register: rhel_08_030660_audit_log_partition

      - name: "MEDIUM | RHEL-08-030660 | AUDIT | RHEL 8 must allocate audit record storage capacity to store at least one week of audit records, when audit records are not immediately sent to a central audit record storage facility. | Message out partition size"
        ansible.builtin.debug:
            msg:
                - "WARNING!! Below is the path and size of the partiion for the audit logs. Please make sure there is enough disk space for logs and logs are on their own partition"
                - "Path: {{ rhel_08_030660_audit_log_path.stdout }}"
                - "Disk Space: {{ rhel_08_030660_audit_log_partition.stdout }}"
  when:
      - rhel_08_030660
  tags:
      - RHEL-08-030660
      - CAT2
      - CCI-001849
      - SRG-OS-000341-GPOS-00132
      - SV-230476r809313_rule
      - V-230476
      - auditd

- name: "MEDIUM | RHEL-08-030670 | PATCH |  RHEL 8 must have the packages required for offloading audit logs installed."
  ansible.builtin.package:
      name: rsyslog
      state: present
  when:
      - rhel_08_030670
      - "'rsyslog' not in ansible_facts.packages"
  tags:
      - RHEL-08-030670
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230477r627750_rule
      - V-230477
      - rsyslog

- name: "MEDIUM | RHEL-08-030680 | PATCH | RHEL 8 must have the packages required for encrypting offloaded audit logs installed."
  ansible.builtin.package:
      name: rsyslog-gnutls
      state: present
  when:
      - rhel_08_030680
      - "'rsyslog-gnutls' not in ansible_facts.packages"
  tags:
      - RHEL-08-030680
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230478r744011_rule
      - V-230478
      - gnutls
      - rsyslog

- name: "MEDIUM | RHEL-08-030690 | PATCH | The RHEL 8 audit records must be off-loaded onto a different system or storage media from the system being audited."
  ansible.builtin.lineinfile:
      path: /etc/rsyslog.conf
      regexp: '^.*\@\@'
      line: "*.* {{ rhel8stig_remotelog_server.protocol }}{{ rhel8stig_remotelog_server.server }}:{{ rhel8stig_remotelog_server.port }}"
  when:
      - rhel_08_030690
  tags:
      - RHEL-08-030690
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-230479r917883_rule
      - V-230479
      - auditd
      - rsyslog

- name: "MEDIUM | RHEL-08-030700 | PATCH | RHEL 8 must take appropriate action when the internal event queue is full."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^overflow_action ='
      line: 'overflow_action = {{ rhel8stig_audisp_overflow_action }}'
  notify: restart auditd
  when:
      - rhel_08_030700
  tags:
      - RHEL-08-030700
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-230480r627750_rule
      - V-230480
      - auditd

- name: "MEDIUM | RHEL-08-030710 | PATCH | RHEL 8 must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited."
  ansible.builtin.lineinfile:
      path: /etc/rsyslog.conf
      create: true
      owner: root
      group: root
      mode: 'u-x,go-wx'
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
  with_items:
      - { regexp: '^\$DefaultNetstreamDriver', line: '$DefaultNetstreamDriver gtls' }
      - { regexp: '^\$ActionSendStreamDriverMode', line: '$ActionSendStreamDriverMode 1' }
  when:
      - rhel_08_030710
  tags:
      - RHEL-08-030710
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-230481r818840_rule
      - V-230481
      - auditd
      - rsyslog

- name: "MEDIUM | RHEL-08-030720 | PATCH | RHEL 8 must authenticate the remote logging server for off-loading audit logs."
  ansible.builtin.lineinfile:
      path: /etc/rsyslog.conf
      regexp: '^\$ActionSendStreamDriverAuthMode'
      line: "$ActionSendStreamDriverAuthMode x509/name"
  notify: restart auditd
  when:
      - rhel_08_030720
  tags:
      - rhel_08_030720
      - CAT2
      - CCI-001851
      - SRG-OS-000342-GPOS-00133
      - SV-230482r627750_rule
      - V-230482
      - auditd
      - rsyslog

- name: "MEDIUM | RHEL-08-030730 | PATCH | RHEL 8 must take action when allocated audit record storage volume reaches 75 percent of the repository maximum audit record storage capacity."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^space_left ='
      line: 'space_left = 25%'
  when:
      - rhel_08_030730
  tags:
      - RHEL-08-030730
      - CAT2
      - CCI-001855
      - SRG-OS-000343-GPOS-00134
      - SV-230483r744014_rule
      - V-230483
      - auditd

- name: "MEDIUM | RHEL-08-030731 | PATCH | RHEL 8 must notify the System Administrator (SA) and Information System Security Officer (ISSO) (at a minimum) when allocated audit record storage volume 75 percent utilization."
  ansible.builtin.lineinfile:
      path: /etc/audit/auditd.conf
      regexp: '^space_left_action ='
      line: 'space_left_action = EMAIL'
  when:
      - rhel_08_030731
  tags:
      - RHEL-08-030731
      - CAT2
      - CCI-001855
      - SRG-OS-000343-GPOS-00134
      - SV-244543r743878_rule
      - V-244543
      - auditd

- name: "MEDIUM | RHEL-08-030740 | PATCH | RHEL 8 must compare internal information system clocks at least every 24 hours with a server synchronized to an authoritative time source, such as the United States Naval Observatory (USNO) time servers, or a time server designated for the appropriate DoD network (NIPRNet/SIPRNet), and/or the Global Positioning System (GPS)."
  ansible.builtin.lineinfile:
      path: /etc/chrony.conf
      regexp: '^server'
      line: 'server {{ rhel8stig_ntp_server_name }} iburst maxpoll 16'
  notify: restart {{ rhel8stig_time_service }}
  when:
      - rhel_08_030740
      - "'chrony' in ansible_facts.packages"
  tags:
      - RHEL-08-030740
      - CAT2
      - CCI-001891
      - SRG-OS-000355-GPOS-00143
      - SV-230484r627750_rule
      - V-230484
      - chrony

- name: "MEDIUM | RHEL-08-040001 | PATCH | RHEL 8 must not have any automated bug reporting tools installed."
  ansible.builtin.package:
      name: "abrt*"
      state: absent
  when:
      - rhel_08_040001
  tags:
      - RHEL-08-040001
      - CAT2
      - CCI-000381
      - SRG-OS-000095-GPOS-00049
      - SV-230488r627750_rule
      - V-230488
      - dnf
      - abrt

- name: "MEDIUM | RHEL-08-040002 | PATCH | RHEL 8 must not have the sendmail package installed."
  ansible.builtin.package:
      name: sendmail
      state: absent
  when:
      - rhel_08_040002
      - "'sendmail' in ansible_facts.packages"
  tags:
      - RHEL-08-040002
      - CAT2
      - CCI-00038
      - SRG-OS-000095-GPOS-00049
      - SV-230489r627750_rule
      - V-230489
      - dnf
      - sendmail

- name: "MEDIUM | RHEL-08-040020 | PATCH | RHEL 8 must cover or disable the built-in or attached camera when not in use."
  ansible.builtin.lineinfile:
      path: /etc/modprobe.d/blacklist.conf
      create: true
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      owner: root
      group: root
      mode: "{{ rhel8stig_blacklist_conf_file_perms }}"
      insertafter: "{{ item.insertafter }}"
  notify: change_requires_reboot
  with_items:
      - { regexp: '##Disable WebCam', line: '##Disable WebCam', insertafter: 'EOF' }
      - { regexp: '^install uvcvideo', line: 'install uvcvideo /bin/false', insertafter: '##Disable WebCam' }
      - { regexp: '^blacklist uvcvideo', line: 'blacklist uvcvideo', insertafter: '##Disable WebCam' }
  when:
      - rhel_08_040020
  tags:
      - RHEL-08-040020
      - CAT2
      - CCI-000381
      - SRG-OS-000095-GPOS-00049
      - SV-230493r942915_rule
      - V-230493
      - camera

- name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."
  block:
      - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Firewalld block"
        block:
            - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using firewalld"
              ansible.builtin.shell: firewall-cmd --list-all | grep services | cut -d ':' -f 2 | tr " " "\n" | sed '/^$/d' | sort -u
              register: rhel8stig_ppsm_clsa_check_firewalld
              changed_when: false
              failed_when: false
              check_mode: false
              when:
                  - rhel_08_040030
              tags:
                  - RHEL-08-040030
                  - firewall

            - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings"
              ansible.builtin.debug:
                  msg:
                      - "The following output is what firewalld is accepting on service ports to {{ ansible_hostname }}."
                      - "{{ rhel8stig_ppsm_clsa_check_firewalld.stdout_lines }}"
              changed_when: true
              when:
                  - rhel_08_040030
                  - rhel8stig_ppsm_clsa_check_firewalld.stdout_lines is defined
              tags:
                  - RHEL-08-040030
                  - firewall
        when:
            - rhel_08_040030
            - not rhel8stig_system_is_chroot
            - rhel8stig_firewall_service == "firewalld"
            - rhel8stig_start_firewall_service
        tags:
            - RHEL-08-040030
            - firewall

      - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | IPTables block"
        block:
            - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Get services using iptables"
              ansible.builtin.shell: iptables-save | grep -i accept | grep -i input
              register: rhel8stig_ppsm_clsa_check_iptables
              changed_when: false
              failed_when: false
              check_mode: false
              when: rhel_08_040030
              tags:
                  - RHEL-08-040030
                  - firewall

            - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Message out findings"
              ansible.builtin.debug:
                  msg:
                      - "The following output is what iptabes is accepting on service ports to {{ ansible_hostname }}."
                      - "{{ rhel8stig_ppsm_clsa_check_iptables.stdout_lines }}"
              changed_when: true
              when:
                  - rhel_08_040030
                  - rhel8stig_ppsm_clsa_check_iptables.stdout_lines is defined
              tags:
                  - RHEL-08-040030
                  - firewall
        when:
            - rhel_08_040030
            - not rhel8stig_system_is_chroot
            - rhel8stig_firewall_service == "iptables"
            - rhel8stig_start_firewall_service
        tags:
            - RHEL-08-040030
            - firewall

      - name: "MEDIUM | RHEL-08-040030 | AUDIT | RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments. | Warn no firewall is in use"
        ansible.builtin.debug:
            msg: "Your configured firewall service is {{ rhel8stig_firewall_service }}, but you have set the variable rhel8stig_start_firewall_service to false. We cannot audit control RHEL-08-040030 - RHEL 8 must be configured to prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the Ports, Protocols, and Services Management (PPSM) Category Assignments List (CAL) and vulnerability assessments."
        changed_when: true
        when:
            - rhel_08_040030
            - not rhel8stig_start_firewall_service
        tags:
            - RHEL-08-040030
            - firewall
  when:
      - rhel_08_040030
      - not rhel8stig_system_is_chroot
      - rhel8stig_firewall_service != "not_required"

      - rhel8stig_disruptive
  tags:
      - RHEL-08-040030
      - CAT2
      - CCI-000382
      - SRG-OS-000096-GPOS-00050
      - SV-230500r627750_rule
      - V-230500
      - firewall

- name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required."
  block:
      - name: "MEDIUM | RHEL-08-040070 | AUDIT | The RHEL 8 file system automounter must be disabled unless required. | Check on autofs service to prevent disable error"
        ansible.builtin.shell: "systemctl show autofs | grep LoadState | cut -d= -f2"
        changed_when: false
        failed_when: false
        register: rhel_08_040070_autofs_status

      - name: "MEDIUM | RHEL-08-040070 | PATCH | The RHEL 8 file system automounter must be disabled unless required. | Disable autofs if exists"
        ansible.builtin.service:
            name: autofs
            state: stopped
            enabled: false
        when: rhel_08_040070_autofs_status.stdout == "loaded"
  when:
      - rhel_08_040070
  tags:
      - RHEL-08-040070
      - CAT2
      - CCI-000778
      - SRG-OS-000114-GPOS-00059
      - SV-230502r627750_rule
      - V-230502
      - autofs

- name: "MEDIUM | RHEL-08-040080 | PATCH | RHEL 8 must be configured to disable USB mass storage."
  ansible.builtin.lineinfile:
      path: /etc/modprobe.d/blacklist.conf
      regexp: "{{ item.regexp }}"
      line: "{{ item.line }}"
      insertafter: "{{ item.insertafter }}"
      create: true
      owner: root
      group: root
      mode: "{{ rhel8stig_blacklist_conf_file_perms }}"
  with_items:
      - { regexp: '^install usb-storage', line: 'install usb-storage /bin/false', insertafter: 'EOF' }
      - { regexp: '^blacklist usb-storage', line: 'blacklist usb-storage', insertafter: '#blacklist usb-storage'}
  when:
      - rhel_08_040080
  tags:
      - RHEL-08-040080
      - CAT2
      - CCI-000778
      - SRG-OS-000114-GPOS-00059
      - SV-230503r942936_rule
      - V-230503
      - usb_devices

- name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8."
  block:
      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install firewalld"
        ansible.builtin.package:
            name: firewalld.noarch
            state: present
        when: rhel8stig_firewall_service == "firewalld"

      - name: "MEDIUM | RHEL-08-040100 | PATCH | A firewall must be installed on RHEL 8. | Install IPTables"
        ansible.builtin.package:
            name: iptables-services
            state: present
        when: rhel8stig_firewall_service == "iptables"
  when:
      - rhel_08_040100
      - rhel8stig_firewall_service != "not_required"
  tags:
      - RHEL-08-040100
      - CAT2
      - CCI-002314
      - SRG-OS-000297-GPOS-00115
      - SV-230505r744020_rule
      - V-230505
      - firewall
      - iptables
      - firewalld

- name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8"
  block:
      - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Install firewalld if needed"
        ansible.builtin.package:
            name: firewalld
            state: present
        when: "'firewalld' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-040101 | PATCH | A firewall must be active on RHEL 8 | Enable the service"
        ansible.builtin.systemd:
            name: firewalld
            state: started  # Needs to start here or subsequent controls will fail
            enabled: true
  when:
      - rhel_08_040101
      - rhel8stig_firewall_service == "firewalld"
  tags:
      - RHEL-08-040101
      - CAT2
      - CCI-002314
      - SRG-OS-000297-GPOS-00115
      - SV-244544r743881_rule
      - V-244544
      - firewalld
      - firewall

- name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems."
  block:
      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone"
        ansible.posix.firewalld:
            zone: "{{ rhel8stig_custom_firewall_zone }}"
            permanent: true
            state: present

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Copy existing rules to new zone"
        ansible.builtin.copy:
            src: "/etc/firewalld/zones/{{ rhel8stig_existing_zone_to_copy }}.xml"
            dest: "/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml"
            remote_src: true
        when:
            - rhel8stig_copy_existing_zone
            - rhel8stig_existing_zone_to_copy | length > 0

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Amend copied file"
        ansible.builtin.replace:
            path: "/etc/firewalld/zones/{{ rhel8stig_custom_firewall_zone }}.xml"
            regexp: "{{ item.regexp }}"
            replace: \1{{ item.replace }}\2
        loop:
            - { regexp: (\s*<zone)>(\s*$), replace: ' target="DROP">' }
            - { regexp: (\s*<short>).*(<\/short>), replace: "{{ rhel8stig_custom_firewall_zone }}" }
        when:
            - rhel8stig_copy_existing_zone
            - rhel8stig_existing_zone_to_copy | length > 0

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Allow internet and ssh"
        ansible.posix.firewalld:
            zone: "{{ rhel8stig_custom_firewall_zone }}"
            permanent: true
            state: enabled
            service: "{{ (item == (item | regex_search('^[a-z]+$'))) | ternary(item, omit) }}"
            port: "{{ (item == (item | regex_search('^[0-9]+/[a-z]+$'))) | ternary(item, omit) }}"
        with_items:
            - "{{ rhel8stig_white_list_services }}"
        when:
            - not rhel8stig_copy_existing_zone

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.10+"
        ansible.posix.firewalld:
            zone: "{{ rhel8stig_custom_firewall_zone }}"
            permanent: true
            state: enabled
            target: DROP
        when:
            - ansible_version.full is version_compare('2.10.0 | int', '>=')
            - not rhel8stig_copy_existing_zone

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9"
        block:
            - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | current setting"
              ansible.builtin.shell: "firewall-cmd --list-all --zone={{ rhel8stig_custom_firewall_zone }} | grep 'target: DROP'"
              changed_when: false
              failed_when: false
              register: rhel8stig_target_drop_set

            - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Target Drop | 2.9"
              ansible.builtin.shell: firewall-cmd --permanent --zone={{ rhel8stig_custom_firewall_zone }} --set-target=DROP
              when:
                  - rhel8stig_target_drop_set.rc != 0
        when:
            - ansible_version.full is version_compare('2.10 | int', '<')
            - not rhel8stig_copy_existing_zone

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Reload zones"
        ansible.builtin.shell: firewall-cmd --reload
        changed_when: rhel_08_040090_zone_reload.rc == 0
        failed_when: rhel_08_040090_zone_reload.rc >= 2
        register: rhel_08_040090_zone_reload

      - name: "MEDIUM | RHEL-08-040090 | PATCH | A RHEL 8 firewall must employ a deny-all, allow-by-exception policy for allowing connections to other systems. | Set new zone as default"
        ansible.builtin.shell: "firewall-cmd --set-default-zone={{ rhel8stig_custom_firewall_zone }}"
        changed_when: rhel_08_040090_default_zone_set.rc == 0
        failed_when: rhel_08_040090_default_zone_set.rc >= 2
        register: rhel_08_040090_default_zone_set
  when:
      - rhel_08_040090
      - rhel8stig_firewall_service != "not_required"
  tags:
      - RHEL-08-040090
      - CAT2
      - CCI-002314
      - SRG-OS-000297-GPOS-00115
      - SV-230504r942942_rule
      - V-230504
      - firewall

- name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled."
  block:
      - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if nmcli command is available"
        ansible.builtin.shell: rpm -q NetworkManager
        check_mode: false
        changed_when: false
        register: rhel_08_nmcli_available
        failed_when: false

      - name: "MEDIUM | RHEL-08-040110 | AUDIT | RHEL 8 wireless network adapters must be disabled. | check if wifi is enabled"
        ansible.builtin.shell: nmcli radio wifi
        register: rhel_08_wifi_enabled
        check_mode: false
        changed_when: rhel_08_wifi_enabled.stdout != "disabled"
        when: rhel_08_nmcli_available.rc == 0

      - name: "MEDIUM | RHEL-08-040110 | PATCH | RHEL 8 wireless network adapters must be disabled. | Disable wifi if enabled"
        ansible.builtin.shell: nmcli radio wifi off
        when: rhel_08_wifi_enabled is changed  # noqa no-handler
  when:
      - rhel_08_040110
  tags:
      - RHEL-08-040110
      - CAT2
      - CCI-001444
      - SRG-OS-000299-GPOS-00117
      - SV-230506r627750_rule
      - V-230506
      - wifi

- name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled."
  block:
      - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth"
        ansible.builtin.lineinfile:
            path: /etc/modprobe.d/bluetooth.conf
            regexp: '^install bluetooth '
            line: "install bluetooth /bin/false"
            create: true
            owner: root
            group: root
            mode: 'u-x,g-wx,o-rwx'
        notify: change_requires_reboot

      - name: "MEDIUM | RHEL-08-040111 | PATCH | RHEL 8 Bluetooth must be disabled. | Disable Bluetooth kernel module"
        ansible.builtin.lineinfile:
            path: /etc/modprobe.d/blacklist.conf
            create: true
            regexp: "{{ item.regexp }}"
            line: "{{ item.line }}"
            owner: root
            group: root
            mode: "{{ rhel8stig_blacklist_conf_file_perms }}"
            insertafter: "{{ item.insertafter }}"
        notify: change_requires_reboot
        with_items:
            - { regexp: '^blacklist bluetooth', line: 'blacklist bluetooth', insertafter: '#blacklist bluetooth kernel module' }
  when:
      - rhel_08_040111
  tags:
      - RHEL-08-040111
      - CAT2
      - CCI-001443
      - SRG-OS-000300-GPOS-00118
      - SV-230507r942939_rule
      - V-230507
      - bluetooth

- name: |
      "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option."
      "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option."
      "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option."
  block:
      - name: |
            "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option."
            "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option."
            "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option."
        ansible.builtin.shell: mount | grep /dev/shm
        changed_when: false
        failed_when: false
        register: rhel8stig_040120_dev_shm_status

      - name: |
            "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option."
            "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option."
            "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option."
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - item.mount == '/dev/shm'
            - rhel8stig_040120_dev_shm_status.stdout | length > 0
  when:
      - rhel_08_040120 or
        rhel_08_040121 or
        rhel_08_040122
  tags:
      - CAT2
      - RHEL-08-040120
      - RHEL-08-040121
      - RHEL-08-040122
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-230508r627750_rule
      - SV-230509r627750_rule
      - SV-230510r627750_rule
      - V-230508
      - V-230509
      - V-230510
      - mounts

- name: |
      "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option."
      "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option."
      "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option."
  block:
      - name: |
            "MEDIUM | RHEL-08-040123 | AUDIT | RHEL 8 must mount /tmp with the nodev option."
            "MEDIUM | RHEL-08-040124 | AUDIT | RHEL 8 must mount /tmp with the nosuid option."
            "MEDIUM | RHEL-08-040125 | AUDIT | RHEL 8 must mount /tmp with the noexec option."
        ansible.builtin.shell: mount | grep /tmp
        changed_when: false
        failed_when: false
        register: rhel8stig_040123_dev_status

      - name: |
            "MEDIUM | RHEL-08-040123 | PATCH | RHEL 8 must mount /tmp with the nodev option."
            "MEDIUM | RHEL-08-040124 | PATCH | RHEL 8 must mount /tmp with the nosuid option."
            "MEDIUM | RHEL-08-040125 | PATCH | RHEL 8 must mount /tmp with the noexec option."
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "defaults{{ rhel_08_040123 | ternary (',nodev', '') }}{{ rhel_08_040124 | ternary (',nosuid', '') }}{{ rhel_08_040125 | ternary (',noexec', '') }}"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel8stig_040123_dev_status.stdout | length > 0
            - item.mount =='/tmp'

  when:
      - rhel_08_040123 or
        rhel_08_040124 or
        rhel_08_040125
  tags:
      - CAT2
      - RHEL-08-040123
      - RHEL-08-040124
      - RHEL-08-04125
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-230511r627750_rule
      - SV-230512r627750_rule
      - SV-230513r627750_rule
      - V-230511
      - V-230512
      - V-230513
      - mounts

- name: |
      "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option."
      "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option."
      "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option."
  block:
      - name: |
            "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option."
            "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option."
            "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option."
        ansible.builtin.shell: mount | grep '\s\+/var/log\s\+'
        changed_when: false
        failed_when: false
        register: rhel8stig_040126_var_log_status

      - name: |
            "MEDIUM | RHEL-08-040126 | PATCH | RHEL 8 must mount /var/log with the nodev option."
            "MEDIUM | RHEL-08-040127 | PATCH | RHEL 8 must mount /var/log with the nosuid option."
            "MEDIUM | RHEL-08-040128 | PATCH | RHEL 8 must mount /var/log with the noexec option."
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "defaults{{ rhel_08_040126 | ternary (',nodev', '') }}{{ rhel_08_040127 | ternary (',nosuid', '') }}{{ rhel_08_040128 | ternary (',noexec', '') }}"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - rhel8stig_040126_var_log_status.stdout | length > 0
            - item.mount == '/var/log'
  when:
      - rhel_08_040126 or
        rhel_08_040127 or
        rhel_08_040128
  tags:
      - CAT2
      - RHEL-08-040126
      - RHEL-08-040127
      - RHEL-08-040128
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-230514r627750_rule
      - SV-230515r627750_rule
      - SV-230516r627750_rule
      - V-230514
      - V-230515
      - V-230516
      - mounts

- name: |
      "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option."
      "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option."
      "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option."
  block:
      - name: |
            "MEDIUM | RHEL-08-040129 | AUDIT | RHEL 8 must mount /var/log/audit with the nodev option."
            "MEDIUM | RHEL-08-040130 | AUDIT | RHEL 8 must mount /var/log/audit with the nosuid option."
            "MEDIUM | RHEL-08-040131 | AUDIT | RHEL 8 must mount /var/log/audit with the noexec option."
        ansible.builtin.shell: mount | grep /var/log/audit
        changed_when: false
        failed_when: false
        register: rhel8stig_040129_var_log_audit_status

      - name: |
            "MEDIUM | RHEL-08-040129 | PATCH | RHEL 8 must mount /var/log/audit with the nodev option."
            "MEDIUM | RHEL-08-040130 | PATCH | RHEL 8 must mount /var/log/audit with the nosuid option."
            "MEDIUM | RHEL-08-040131 | PATCH | RHEL 8 must mount /var/log/audit with the noexec option."
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "defaults{{ rhel_08_040129 | ternary (',nodev', '') }}{{ rhel_08_040130 | ternary (',nosuid', '') }}{{ rhel_08_040131 | ternary (',noexec', '') }}"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - item.mount == '/var/log/audit'
            - rhel8stig_040129_var_log_audit_status.stdout | length > 0
  when:
      - rhel_08_040129 or
        rhel_08_040130 or
        rhel_08_040131
  tags:
      - CAT2
      - RHEL-08-040129
      - RHEL-08-040130
      - RHEL-08-040131
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-230517r627750_rule
      - SV-230518r627750_rule
      - SV-230519r627750_rule
      - V-230517
      - V-230518
      - V-230519
      - mounts

- name: |
      "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option"
      "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option."
      "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option."
  block:
      - name: |
            "MEDIUM | RHEL-08-040132 | AUDIT | RHEL 8 must mount /var/tmp with the nodev option"
            "MEDIUM | RHEL-08-040133 | AUDIT | RHEL 8 must mount /var/tmp with the nosuid option."
            "MEDIUM | RHEL-08-040134 | AUDIT | RHEL 8 must mount /var/tmp with the noexec option."
        ansible.builtin.shell: mount | grep /var/tmp
        changed_when: false
        failed_when: false
        register: rhel8stig_040132_var_tmp_status

      - name: |
            "MEDIUM | RHEL-08-040132 | PATCH | RHEL 8 must mount /var/tmp with the nodev option"
            "MEDIUM | RHEL-08-040133 | PATCH | RHEL 8 must mount /var/tmp with the nosuid option."
            "MEDIUM | RHEL-08-040134 | PATCH | RHEL 8 must mount /var/tmp with the noexec option."
        ansible.posix.mount:
            path: "{{ item.mount }}"
            state: mounted
            src: "{{ item.device }}"
            fstype: "{{ item.fstype }}"
            opts: "defaults{{ rhel_08_040132 | ternary (',nodev', '') }}{{ rhel_08_040133 | ternary (',nosuid', '') }}{{ rhel_08_040134 | ternary (',noexec', '') }}"
        loop: "{{ ansible_facts.mounts }}"
        when:
            - item.mount == '/var/tmp'
            - rhel8stig_040132_var_tmp_status.stdout | length > 0
  when:
      - rhel_08_040132 or
        rhel_08_040133 or
        rhel_08_040134
  tags:
      - CAT2
      - RHEL-08-040132
      - RHEL-08-040133
      - RHEL-08-040134
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-230520r792927_rule
      - SV-230521r792930_rule
      - SV-230522r792933_rule
      - V-230520
      - V-230521
      - V-230522
      - mounts

- name: "MEDIUM | RHEL-08-040135 | PATCH | The RHEL 8 fapolicy module must be installed."
  ansible.builtin.package:
      name: fapolicyd
      state: present
  when:
      - rhel_08_040135
      - "'fapolicyd' not in ansible_facts.packages"
  tags:
      - RHEL-08-040135
      - CAT2
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-230523r744023_rule
      - V-230523
      - fapolicy

- name: "MEDIUM | RHEL-08-040136 | PATCH | The RHEL 8 fapolicy module must be enabled."
  ansible.builtin.systemd:
      name: fapolicyd
      enabled: true
  when:
      - rhel_08_040136
  tags:
      - RHEL-08-040136
      - CAT2
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-244545r743884_rule
      - V-244545
      - fapolicy

- name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs."
  block:
      - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Check for rules.d/ directory"
        ansible.builtin.stat:
            path: /etc/fapolicyd/rules.d/
        register: rhel_08_040137_rules_dir

      - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on newer than 8.4"
        ansible.builtin.lineinfile:
            path: '/etc/fapolicyd/rules.d/99-stig.rules'
            line: "{{ item }}"
            create: true
        with_items:
            - "allow exe={{ ansible_python.executable }} : ftype=text/x-python"
            - "{{ rhel8stig_fapolicy_white_list }}"
        notify:
            - generate fapolicyd rules
            - restart fapolicyd
        when:
            - ansible_distribution_version is version('8.4', '>=')
            - rhel_08_040137_rules_dir.stat.isdir

      - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy whitelist on older than 8.4"
        ansible.builtin.lineinfile:
            path: /etc/fapolicyd/fapolicyd.rules
            line: "{{ item }}"
            create: true
        with_items:
            - "allow exe={{ ansible_python.executable }} : ftype=text/x-python"
            - "{{ rhel8stig_fapolicy_white_list }}"
        notify:
            - generate fapolicyd rules
            - restart fapolicyd
        when: ansible_distribution_version is version('8.3', '<=')

      - name: "MEDIUM | RHEL-08-040137 | PATCH | The RHEL 8 fapolicy module must be configured to employ a deny-all, permit-by-exception policy to allow the execution of authorized software programs. | Set fapolicy permissive 0"
        ansible.builtin.lineinfile:
            path: /etc/fapolicyd/fapolicyd.conf
            regexp: '^permissive ='
            line: 'permissive = 0'
            create: true
  when:
      - rhel_08_040137
  tags:
      - RHEL-08-040137
      - CAT2
      - CCI-001764
      - SRG-OS-000368-GPOS-00154
      - SV-244546r858730_rule
      - V-244546
      - fapolicy

- name: |
    "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed."
    "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection."
    "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard."
  block:
      - name: "MEDIUM | RHEL-08-040139 | PATCH | RHEL 8 must have the USBGuard installed. | Install usbguard"
        ansible.builtin.package:
            name: usbguard
            state: present
        when:
            - rhel_08_040139
            - "'usbguard' not in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-040140 | PATCH | RHEL 8 must block unauthorized peripherals before establishing a connection. | generate policy"
        ansible.builtin.shell: usbguard generate-policy > /etc/usbguard/rules.conf
        when:
            - rhel_08_040140
            - rhel_08_040139 or
              "'usbguard' in ansible_facts.packages"

      - name: "MEDIUM | RHEL-08-040141 | PATCH | RHEL 8 must enable the USBGuard. | Start/Enable service"
        ansible.builtin.service:
            name: usbguard
            enabled: true
        notify: restart usbguard
        when:
            - rhel_08_040141
            - rhel_08_040139 or
              "'usbguard' in ansible_facts.packages"
  when:
      - rhel_08_040139 or
        rhel_08_040140 or
        rhel_08_040141
  tags:
      - RHEL-08-040139
      - RHEL-08-040140
      - RHEL-08-040141
      - CAT2
      - CCI-001958
      - SRG-OS-000378-GPOS-00163
      - SV-244547r743890_rule
      - SV-230524r744026_rule
      - SV-244548r743893_rule
      - V-244547
      - V-230524
      - V-244548
      - usbguard

- name: "MEDIUM | RHEL-08-040150 | PATCH | A firewall must be able to protect against or limit the effects of Denial of Service (DoS) attacks by ensuring RHEL 8 can implement rate-limiting measures on impacted network interfaces."
  ansible.builtin.lineinfile:
      path: /etc/firewalld/firewalld.conf
      regexp: '^FirewallBackend='
      line: 'FirewallBackend=nftables'
  when:
      - rhel_08_040150
      - rhel8stig_firewall_service != "not_required"
  tags:
      - RHEL-08-040150
      - CAT2
      - CCI-002385
      - SRG-OS-000420-GPOS-00186
      - SV-230525r902735_rule
      - V-230525
      - firewall
      - nftables

- name: |
    "MEDIUM | RHEL-08-040159 | PATCH | All RHEL 8 networked systems must have SSH installed."
    "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission."
  block:
      - name: "MEDIUM | RHEL-08-040159 | PATCH | All RHEL 8 networked systems must have SSH installed. | Install openssh-server"
        ansible.builtin.package:
            name: openssh-server
            state: present
        when:
            - "'openssh-server' not in ansible_facts.packages"
            - rhel_08_040159

      - name: "MEDIUM | RHEL-08-040160 | PATCH | All RHEL 8 networked systems must have and implement SSH to protect the confidentiality and integrity of transmitted and received information, as well as information during preparation for transmission. | Start/Enable ssh server"
        ansible.builtin.service:
            name: sshd
            enabled: true
        notify: restart sshd
        when:
            - rhel_08_040159 or
              "'openssh-server' in ansible_facts.packages"
  when:
      - rhel_08_040159 or
        rhel_08_040160
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-040159
      - RHEL-08-040160
      - CAT2
      - CCI-002418
      - SRG-OS-000423-GPOS-00187
      - SV-244549r916422_rule
      - SV-230526r916422_rule
      - V-244549
      - V-230526
      - ssh

- name: "MEDIUM | RHEL-08-040161 | PATCH | RHEL 8 must force a frequent session key renegotiation for SSH connections to the server."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?RekeyLimit'
      line: 'RekeyLimit 1G 1h'
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_040161
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-040161
      - CAT2
      - CCI-000068
      - SRG-OS-000033-GPOS-00014
      - SV-230527r951616_rule
      - V-230527
      - ssh

- name: "MEDIUM | RHEL-08-040180 | PATCH | The debug-shell systemd service must be disabled on RHEL 8."
  ansible.builtin.systemd:
      name: debug-shell.service
      state: stopped
      enabled: false
      masked: true
      daemon_reload: true
  when:
      - ansible_service_mgr == 'systemd'
      - rhel_08_040180
  tags:
      - RHEL-08-040180
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230532r627750_rule
      - V-230532
      - debug-shell

- name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted."
  block:
      - name: "MEDIUM | RHEL-08-040209 | AUDIT | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040209_conflicting_settings

      - name: "MEDIUM | RHEL-08-040209 | AUDIT | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.default.accept_redirects = [^0]
            state: absent
        loop: "{{ rhel_08_040209_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040209_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040209 | PATCH | RHEL 8 must prevent IPv4 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.default.accept_redirects
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040209
  tags:
      - RHEL-08-040209
      - CAT2
      - CI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244550r858791_rule
      - V-244550
      - ipv4

- name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted."
  block:
      - name: "MEDIUM | RHEL-08-040210 | AUDIT | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040210_conflicting_settings

      - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.default.accept_redirects = [^0]
            state: absent
        loop: "{{ rhel_08_040210_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040210_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040210 | PATCH | RHEL 8 must prevent IPv6 Internet Control Message Protocol (ICMP) redirect messages from being accepted. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.default.accept_redirects
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"

  when:
      - rhel_08_040210
      - rhel8stig_ipv6_required
  tags:
      - RHEL-08-040210
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230535r858793_rule
      - V-230535
      - icmp

- name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects."
  block:
      - name: "MEDIUM | RHEL-08-040220 | AUDIT | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.all.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040220_conflicting_settings

      - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.all.send_redirects = [^0]
            state: absent
        loop: "{{ rhel_08_040220_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040220_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040220 | PATCH | RHEL 8 must not send Internet Control Message Protocol (ICMP) redirects. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.all.send_redirects
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040220
  tags:
      - RHEL-08-040220
      - CAT2
      - CCI-00036
      - SRG-OS-000480-GPOS-00227
      - SV-230536r858795_rule
      - V-230536
      - icmp

- name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address."
  block:
      - name: "MEDIUM | RHEL-08-040230 | AUDIT | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.icmp_echo_ignore_broadcasts\s*=\s*0" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040230_conflicting_settings

      - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: ^net.ipv4.icmp_echo_ignore_broadcasts.*
            state: absent
        loop: "{{ rhel_08_040230_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040230_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040230 | PATCH | The RHEL 8 must not respond to Internet Control Message Protocol (ICMP) echoes sent to a broadcast address. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.icmp_echo_ignore_broadcasts
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"

  when:
      - rhel_08_040230
  tags:
      - RHEL-08-040230
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230537r858797_rule
      - V-230537
      - icmp

- name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets."
  block:
      - name: "MEDIUM | RHEL-08-040239 | AUDIT | RHEL 8 must not forward IPv4 source-routed packets. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040239_conflicting_settings

      - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item  }}"
            regexp: net.ipv4.conf.all.accept_source_route = [^0]
            state: absent
        loop: "{{ rhel_08_040239_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040239_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040239 | PATCH | RHEL 8 must not forward IPv4 source-routed packets. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.all.accept_source_route
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040239
  tags:
      - RHEL-08-040239
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244551r858799_rule
      - V-244551
      - ip4

- name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets."
  block:
      - name: "MEDIUM | RHEL-08-040240 | AUDIT | RHEL 8 must not forward IPv6 source-routed packets. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040240_conflicting_settings

      - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.all.accept_source_route = [^0]
            state: absent
        loop: "{{ rhel_08_040240_conflicting_settings.stdout_lines }}"
        when: rhel_08_040240_conflicting_settings.stdout |length > 0

      - name: "MEDIUM | RHEL-08-040240 | PATCH | RHEL 8 must not forward IPv6 source-routed packets. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.all.accept_source_route
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040240
      - rhel8stig_ipv6_required
  tags:
      - RHEL-08-040240
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230538r858801_rule
      - V-230538
      - icmp

- name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default."
  block:
      - name: "MEDIUM | RHEL-08-040249 | AUDIT | RHEL 8 must not forward IPv4 source-routed packets by default. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040249_conflicting_settings

      - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.default.accept_source_route = [^0]
            state: absent
        loop: "{{ rhel_08_040249_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040249_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040249 | PATCH | RHEL 8 must not forward IPv4 source-routed packets by default. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.default.accept_source_route
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040249
  tags:
      - RHEL-08-040249
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244552r858803_rule
      - V-244552
      - ipv4

- name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default."
  block:
      - name: "MEDIUM | RHEL-08-040250 | AUDIT | RHEL 8 must not forward IPv6 source-routed packets by default. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_source_route = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040250_conflicting_findings

      - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Remove conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.default.accept_source_route = [^0]
            state: absent
        loop: "{{ rhel_08_040250_conflicting_findings.stdout_lines }}"
        when: rhel_08_040250_conflicting_findings.stdout | length > 0

      - name: "MEDIUM | RHEL-08-040250 | PATCH | RHEL 8 must not forward IPv6 source-routed packets by default. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.default.accept_source_route
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040250
      - rhel8stig_ipv6_required
  tags:
      - RHEL-08-040250
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230539r861085_rule
      - V-230539
      - icmp

- name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router."
  block:
      - name: "MEDIUM | RHEL-08-040259 | AUDIT | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040259_conflicting_settings

      - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.all.forwarding = [^0]
            state: absent
        loop: "{{ rhel_08_040259_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040259_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040259 | PATCH | RHEL 8 must not enable IPv4 packet forwarding unless the system is a router. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.all.forwarding
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040259
      - not rhel8stig_system_is_router
  tags:
      - RHEL-08-040259
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-250317r858808_rule
      - V-250317
      - icmp

- name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router."
  block:
      - name: "MEDIUM | RHEL-08-040260 | AUDIT | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.all.forwarding = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040260_conflicting_settings

      - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.all.forwarding = [^0]
            state: absent
        loop: "{{ rhel_08_040260_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040260_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040260 | PATCH | RHEL 8 must not enable IPv6 packet forwarding unless the system is a router. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.all.forwarding
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040260
      - rhel8stig_ipv6_required
      - not rhel8stig_system_is_router
  tags:
      - RHEL-08-040260
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230540r858810_rule
      - V-230540
      - icmp

- name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces."
  block:
      - name: "MEDIUM | RHEL-08-040261 | AUDIT | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040261_conflicting_settings

      - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.all.accept_ra = [^0]
            state: absent
        loop: "{{ rhel_08_040261_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040261_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040261 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.all.accept_ra
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040261
      - rhel8stig_ipv6_required
      - not rhel8stig_system_is_router
  tags:
      - RHEL-08-040261
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230541r858812_rule
      - V-230541
      - icmp

- name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default."
  block:
      - name: "MEDIUM | RHEL-08-040262 | AUDIT | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.default.accept_ra = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040262_conflicting_settings

      - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.default.accept_ra = [^0]
            state: absent
        loop: "{{ rhel_08_040262_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040262_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040262 | PATCH | RHEL 8 must not accept router advertisements on all IPv6 interfaces by default. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.default.accept_ra
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040262
      - rhel8stig_ipv6_required
      - not rhel8stig_system_is_router
  tags:
      - RHEL-08-040262
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230542r858814_rule
      - V-230542
      - icmp

- name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default."
  block:
      - name: "MEDIUM | RHEL-08-040270 | AUDIT | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.default.send_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040270_conflicting_settings

      - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.default.send_redirects = [^0]
            state: absent
        loop: "{{ rhel_08_040270_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040270_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040270 | PATCH | The RHEL 8 must not allow interfaces to perform Internet Control Message Protocol (ICMP) redirects by default. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.default.send_redirects
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040270
  tags:
      - RHEL-08-040270
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230543r858816_rule
      - V-230543
      - icmp

- name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages."
  block:
      - name: "MEDIUM | RHEL-08-040279 | AUDIT | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040279_conflicting_settings

      - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.all.accept_redirects = [^0]
            state: absent
        loop: "{{ rhel_08_040279_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040279_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040279 | PATCH | RHEL 8 must ignore IPv4 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.all.accept_redirects
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040279
  tags:
      - RHEL-08-040279
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244553r858818_rule
      - V-244553
      - ipv4

- name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages."
  block:
      - name: "MEDIUM | RHEL-08-040280 | AUDIT | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv6.conf.all.accept_redirects = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040280_conflicting_settings

      - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv6.conf.all.accept_redirects = [^0]
            state: absent
        loop: "{{ rhel_08_040280_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040280_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040280 | PATCH | RHEL 8 must ignore IPv6 Internet Control Message Protocol (ICMP) redirect messages. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv6.conf.all.accept_redirects
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040280
      - rhel8stig_ipv6_required
  tags:
      - RHEL-08-040280
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230544r858820_rule
      - V-230544
      - icmp

- name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes."
  block:
      - name: "MEDIUM | RHEL-08-040281 | AUDIT | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "kernel.unprivileged_bpf_disabled = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040281_conflicting_settings

      - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: kernel.unprivileged_bpf_disabled = [^1]
            state: absent
        loop: "{{ rhel_08_040281_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040281_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040281 | PATCH | RHEL 8 must disable access to network bpf syscall from unprivileged processes. | Use template to create file"
        ansible.posix.sysctl:
            name: kernel.unprivileged_bpf_disabled
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040281
  tags:
      - RHEL-08-040281
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230545r858822_rule
      - V-230545
      - sysctl

- name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes."
  block:
      - name: "MEDIUM | RHEL-08-040282 | AUDIT | RHEL 8 must restrict usage of ptrace to descendant processes. | Find conflicting instances"
        ansible.builtin.shell: grep -Ers "kernel.yama.ptrace_scope\s*=\s*.*" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040282_conflicting_settings

      - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: kernel.yama.ptrace_scope.*
            state: absent
        loop: "{{ rhel_08_040282_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040282_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040282 | PATCH | RHEL 8 must restrict usage of ptrace to descendant processes. | Use template to create file"
        ansible.posix.sysctl:
            name: kernel.yama.ptrace_scope
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040282
  tags:
      - RHEL-08-040282
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230546r858824_rule
      - V-230546
      - sysctl

- name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access."
  block:
      - name: "MEDIUM | RHEL-08-040283 | AUDIT | RHEL 8 must restrict exposed kernel pointer addresses access. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "kernel.kptr_restrict = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040283_conflicting_settings

      - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: kernel.kptr_restrict = [^1]
            state: absent
        loop: "{{ rhel_08_040283_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040283_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040283 | PATCH | RHEL 8 must restrict exposed kernel pointer addresses access. | Use template to create file"
        ansible.posix.sysctl:
            name: kernel.kptr_restrict
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040283
  tags:
      - RHEL-08-040283
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230547r858826_rule
      - V-230547
      - sysctl

- name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces."
  block:
      - name: "MEDIUM | RHEL-08-040284 | AUDIT | RHEL 8 must disable the use of user namespaces. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "user.max_user_namespaces = [^0]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040284_conflicting_settings

      - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: user.max_user_namespaces = [^0]
            state: absent
        loop: "{{ rhel_08_040284_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040284_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040284 | PATCH | RHEL 8 must disable the use of user namespaces. | Use template to create file"
        ansible.posix.sysctl:
            name: user.max_user_namespaces
            value: 0
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040284
  tags:
      - RHEL-08-040284
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230548r858828_rule
      - V-230548
      - sysctl

- name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces."
  block:
      - name: "MEDIUM | RHEL-08-040285 | AUDIT | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.ipv4.conf.all.rp_filter = [^1]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040285_conflicting_settings

      - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.ipv4.conf.all.rp_filter = [^1]
            state: absent
        loop: "{{ rhel_08_040285_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040285_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040285 | PATCH | RHEL 8 must use reverse path filtering on all IPv4 interfaces. | Use template to create file"
        ansible.posix.sysctl:
            name: net.ipv4.conf.all.rp_filter
            value: 1
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040285
  tags:
      - RHEL-08-040285
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230549r858830_rule
      - V-230549
      - sysctl

- name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler."
  block:
      - name: "MEDIUM | RHEL-08-040286 | AUDIT | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Find conflicting instances"
        ansible.builtin.shell: grep -rs "net.core.bpf_jit_harden = [^2]" /run/sysctl.d/*.conf /usr/local/lib/sysctl.d/*.conf /usr/lib/sysctl.d/*.conf /lib/sysctl.d/*.conf /etc/sysctl.conf /etc/sysctl.d/*.conf | cut -d':' -f1
        changed_when: false
        failed_when: false
        register: rhel_08_040286_conflicting_settings

      - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Replace conflicting instances"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: net.core.bpf_jit_harden = [^2]
            state: absent
        loop: "{{ rhel_08_040286_conflicting_settings.stdout_lines }}"
        when:
            - rhel_08_040286_conflicting_settings.stdout | length > 0
            - item != rhel8stig_sysctl_file

      - name: "MEDIUM | RHEL-08-040286 | PATCH | RHEL 8 must enable hardening for the Berkeley Packet Filter Just-in-time compiler. | Use template to create file"
        ansible.posix.sysctl:
            name: net.core.bpf_jit_harden
            value: 2
            state: present
            reload: "{{ rhel8stig_sysctl_reload }}"
            sysctl_set: true
            sysctl_file: "{{ rhel8stig_sysctl_file }}"
  when:
      - rhel_08_040286
  tags:
      - RHEL-08-040286
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-244554r858832_rule
      - V-244554

- name: "MEDIUM | RHEL-08-040290 | PATCH | The RHEL 8 must be configured to prevent unrestricted mail relaying. | Set restriction"
  ansible.builtin.shell: "postconf -e 'smtpd_client_restrictions = permit_mynetworks,reject'"
  when:
      - "'postfix' in ansible_facts.packages"
      - rhel_08_040290
  tags:
      - RHEL-08-040290
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230550r627750_rule
      - V-230550
      - mail

- name: "MEDIUM | RHEL-08-040320 | PATCH | The graphical display manager must not be installed on RHEL 8 unless approved."
  ansible.builtin.package:
      name:
          - xorg-x11-server-Xorg
          - xorg-x11-server-common
          - xorg-x11-server-utils
          - xorg-x11-server-Xwayland
      state: absent
  notify: change_requires_reboot
  when:
      - rhel_08_040320
      - not rhel8stig_gui
      - "'xorg-x11-server-Xorg' in ansible_facts.packages or 'xorg-x11-server-common' in ansible_facts.packages or 'xorg-x11-server-utils' in ansible_facts.packages or 'xorg-x11-server-Xwayland' in ansible_facts.packages"
  tags:
      - RHEL-08-040320
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230553r809324_rule
      - V-230553
      - gui

- name: "MEDIUM | RHEL-08-040321 | PATCH | The graphical display manager must not be the default target on RHEL 8 unless approved."
  ansible.builtin.file:
      src: /usr/lib/systemd/system/multi-user.target
      dest: /etc/systemd/system/default.target
      state: link
  when:
      - rhel_08_040321
      - not rhel8stig_gui
  tags:
      - RHEL-08-040321
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-251718r809378_rule
      - V-251718
      - systemctl

- name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode."
  block:
      - name: "MEDIUM | RHEL-08-040330 | AUDIT | RHEL 8 network interfaces must not be in promiscuous mode. | Check promiscuous mode"
        ansible.builtin.shell: "ip link | grep -i promisc | cut -d ':' -f 2"
        check_mode: false
        failed_when: false
        changed_when: rhel_08_040670_promisc_check.stdout != ''
        ignore_errors: true
        register: rhel_08_040670_promisc_check

      - name: "MEDIUM | RHEL-08-040330 | PATCH | RHEL 8 network interfaces must not be in promiscuous mode. | Set promiscuous mode"
        ansible.builtin.shell: "ip link set dev {{ item }} promisc off"
        with_items: "{{ rhel_08_040670_promisc_check.stdout_lines }}"
  when:
      - rhel_08_040330
      - not rhel8stig_net_promisc_mode_required
  tags:
      - RHEL-08-040330
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230554r627750_rule
      - V-230554
      - network

- name: "MEDIUM | RHEL-08-040340 | PATCH | RHEL 8 remote X connections for interactive users must be disabled unless to fulfill documented and validated mission requirements."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?X11Forwarding'
      line: 'X11Forwarding no'
      validate: '/usr/sbin/sshd -T -f %s'
  notify: restart sshd
  when:
      - rhel_08_040340
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-040340
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - V-230555r951618_rule
      - V-230555
      - ssh

- name: "MEDIUM | RHEL-08-040341 | PATCH | The RHEL 8 SSH daemon must prevent remote hosts from connecting to the proxy display."
  ansible.builtin.lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '(?i)^#?X11UseLocalhost'
      line: 'X11UseLocalhost yes'
      validate: '/usr/sbin/sshd -T -f %s'
  when:
      - rhel_08_040341
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-040341
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230556r951620_rule
      - V-230556
      - ssh

- name: "MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | Add KEXs"
  block:
      - name: "MEDIUM | RHEL-08-040342 | AUDIT | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | get KEXs"
        ansible.builtin.shell: grep -E "^CRYPTO_POLICY" /etc/crypto-policies/back-ends/opensshserver.config | cut -d "'" -f2 | sed s'/ /\n/g' | grep -i okexa | sed s'/-o//g'
        changed_when: false
        failed_when: false
        register: rhel8stig_current_kex

      - name: MEDIUM | RHEL-08-040342 | PATCH | RHEL 8 SSH server must be configured to use only FIPS-validated key exchange algorithms. | update KEXs"
        ansible.builtin.lineinfile:
            path: /etc/crypto-policies/back-ends/opensshserver.config
            regexp: '(^CRYPTO_POLICY=.*)-o{{ rhel8stig_current_kex.stdout }}(.*$)'
            line: '\g<1>-o{{ rhel8stig_ssh_kex }}\g<2>'
            backrefs: true
        when:
            - rhel8stig_current_kex is defined
            - rhel8stig_current_kex.stdout | length > 0
        notify: change_requires_reboot
  when:
      - rhel_08_040342
      - rhel8stig_ssh_required
  tags:
      - RHEL-08-040342
      - CAT2
      - CCI-001453
      - SRG-OS-000250-GPOS-00093
      - SV-255924r917888_rule
      - V-255924
      - fips

- name: "MEDIUM | RHEL-08-040350 | PATCH | If the Trivial File Transfer Protocol (TFTP) server is required, the RHEL 8 TFTP daemon must be configured to operate in secure mode."
  ansible.builtin.lineinfile:
      path: /etc/xinetd.d/tftp
      regexp: "(?i)^.*server_args.*="
      line: "\tserver_args\t\t= -s /var/lib/tftpboot"
      insertafter: "\tserver\t\t\t="
      state: present
  register: result
  failed_when:
      - result is failed
      - result.rc != 257
  when:
      - rhel_08_040350
      - rhel8stig_tftp_required
  tags:
      - skip_ansible_lint
      - RHEL-08-040350
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230557r627750_rule
      - V-230557
      - tftp

- name: "MEDIUM | RHEL-08-040370 | PATCH | The gssproxy package must not be installed unless mission essential on RHEL 8."
  ansible.builtin.package:
      name: gssproxy
      state: absent
  when:
      - rhel_08_040370
      - "'gssproxy' in ansible_facts.packages"
  tags:
      - RHEL-08-040370
      - CAT2
      - CCI-000381
      - SRG-OS-000480-GPOS-00227
      - SV-230559r646887_rule
      - V-230559
      - dnf
      - gssproxy

- name: "MEDIUM | RHEL-08-040380 | PATCH | The iprutils package must not be installed unless mission essential on RHEL 8."
  ansible.builtin.package:
      name: iprutils
      state: absent
  when:
      - rhel_08_040380
      - "'iprutils' in ansible_facts.packages"
  tags:
      - RHEL-08-040380
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230560r627750_rule
      - V-230560
      - iprutils

- name: "MEDIUM | RHEL-08-040390 | PATCH | The tuned package must not be installed unless mission essential on RHEL 8."
  ansible.builtin.package:
      name: tuned
      state: absent
  when:
      - rhel_08_040390
      - "'tuned' in ansible_facts.packages"
  tags:
      - RHEL-08-040390
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-230561r627750_rule
      - V-230561
      - tuned

- name: "MEDIUM | RHEL-08-040400 | AUDIT | RHEL 8 must prevent non-privileged users from executing privileged functions, including disabling, circumventing, or altering implemented security safeguards/countermeasures."
  ansible.builtin.debug:
      msg:
          - "Warning! This task is a manual task"
          - "Please do the following to conform to STIG standards"
          - 'All administrators must be mapped to the "sysadm_u", "staff_u", or an appropriately tailored confined role as defined by the organization.'
          - 'All authorized non-administrative users must be mapped to the "user_u" role.'
  when:
      - rhel_08_040400
  tags:
      - RHEL-08-040400
      - CAT2
      - CCI-002265
      - SRG-OS-000324-GPOS-00125
      - SV-254520r928805_rule
      - V-254520
      - selinux

- name: "MEDIUM | RHEL-08-010163 | PATCH | The krb5-server package must not be installed on RHEL 8."
  ansible.builtin.package:
      name: krb5-server
      state: absent
  when:
      - rhel_08_010163
      - "'krb5-server' in ansible_facts.packages"
  tags:
      - RHEL-08-010163
      - CAT2
      - CCI-000803
      - SRG-OS-000120-GPOS-00061
      - SV-237640r646890_rule
      - V-237640
      - krb5

- name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel."
  block:
      - name: "MEDIUM | RHEL-08-010382 | AUDIT | RHEL 8 must restrict privilege elevation to authorized personnel. | Get ALL settings"
        ansible.builtin.shell: grep -iws 'ALL' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
        changed_when: false
        failed_when: false
        register: rhel_08_010382_sudoers_all

      - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 1"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'ALL ALL=(ALL) ALL'
            state: absent
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_08_010382_sudoers_all.stdout_lines }}"
        when: rhel_08_010382_sudoers_all.stdout | length > 0

      - name: "MEDIUM | RHEL-08-010382 | PATCH | RHEL 8 must restrict privilege elevation to authorized personnel. | Remove format 2"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'ALL ALL=(ALL:ALL) ALL'
            state: absent
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_08_010382_sudoers_all.stdout_lines }}"
        when: rhel_08_010382_sudoers_all.stdout | length > 0
  when:
      - rhel_08_010382
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-010382
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-237641r646893_rule
      - V-237641
      - sudo

- name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo."
  block:
      - name: "MEDIUM | RHEL-08-010383 | AUDIT | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Get privilege escalation"
        ansible.builtin.shell: egrep -is '(!rootpw|!targetpw|!runaspw)' /etc/sudoers /etc/sudoers.d/* | grep -v '#' | cut -d ':' -f1 | sort --uniq
        changed_when: false
        failed_when: false
        register: rhel_08_010383_priv_escalation

      - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for no findings"
        ansible.builtin.lineinfile:
            path: /etc/sudoers
            line: "{{ item }}"
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - Defaults !targetpw
            - Defaults !rootpw
            - Defaults !runaspw
        when: rhel_08_010383_priv_escalation.stdout | length == 0

      - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for targetpw with findings"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults !targetpw'
            line: 'Defaults !targetpw'
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_08_010383_priv_escalation.stdout_lines }}"
        when:
            - rhel_08_010383_priv_escalation.stdout | length > 0

      - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for rootpw with findings"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults !rootpw'
            line: 'Defaults !rootpw'
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_08_010383_priv_escalation.stdout_lines }}"
        when:
            - rhel_08_010383_priv_escalation.stdout | length > 0

      - name: "MEDIUM | RHEL-08-010383 | PATCH | RHEL 8 must use the invoking user's password for privilege escalation when using sudo. | Set privilege escalation for runaspw with findings"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults !runaspw'
            line: 'Defaults !runaspw'
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_08_010383_priv_escalation.stdout_lines }}"
        when:
            - rhel_08_010383_priv_escalation.stdout | length > 0
  when:
      - rhel_08_010383
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-010383
      - CAT2
      - CCI-002227
      - SRG-OS-000480-GPOS-00227
      - SV-237642r861086_rule
      - V-237642
      - sudo

- name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command."
  block:
      - name: "MEDIUM | RHEL-08-010384 | AUDIT | RHEL 8 must require re-authentication when using the sudo command. | Get files with timeout set"
        ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
        changed_when: false
        failed_when: false
        register: rhel_08_010384_timeout_files

      - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if no results"
        ansible.builtin.lineinfile:
            path: /etc/sudoers
            regexp: 'Defaults timestamp_timeout='
            line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}"
            validate: '/usr/sbin/visudo -cf %s'
        when: rhel_08_010384_timeout_files.stdout | length == 0

      - name: "MEDIUM | RHEL-08-010384 | PATCH | RHEL 8 must require re-authentication when using the sudo command. | Set value if has results"
        ansible.builtin.lineinfile:
            path: "{{ item }}"
            regexp: 'Defaults timestamp_timeout='
            line: "Defaults timestamp_timeout={{ rhel8stig_sudo_timestamp_timeout }}"
            validate: '/usr/sbin/visudo -cf %s'
        with_items:
            - "{{ rhel_08_010384_timeout_files.stdout_lines }}"
        when: rhel_08_010384_timeout_files.stdout | length > 0
  when:
      - rhel_08_010384
      - rhel8stig_disruption_high
  tags:
      - RHEL-08-010384
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-237643r861088_rule
      - V-237643
      - sudo

- name: "MEDIUM | RHEL-08-010385 | PATCH | The RHEL 8 operating system must not be configured to bypass password requirements for privilege escalation."
  ansible.builtin.lineinfile:
      path: /etc/pam.d/sudo
      regex: 'pam_succeed_if'
      state: absent
  when:
      - rhel_08_010385
  tags:
      - RHEL-08-010385
      - CAT2
      - CCI-002038
      - SRG-OS-000373-GPOS-00156
      - SV-251712r810017_rule
      - V-251712