updated loop for 6.2.10 to use interactive users

defaults/main.yml

@@ -773,9 +773,6 @@ rhel8cis_inactivelock:
 # Allow ansible to expire password for account with a last changed date in the future. False will just display users in violation, true will expire those users passwords
 rhel8cis_futurepwchgdate_autofix: true
 
-rhel8uid_uid_start: 1000
-rhel8uid_uid_stop: 60000
-
 ## Section5 vars
 
 ## Preferred method of logging
@@ -803,6 +800,19 @@ rhel8cis_auditd:
     admin_space_left_action: single
     max_log_file_action: keep_logs
 
+# UID settings for interactive users
+# These are discovered via logins.def if set true
+discover_int_uid: true
+### Controls:
+# This variable sets the minimum number from which to search for UID
+# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
+# been set to `true`.
+min_int_uid: 1000
+### Controls:
+# Note that the value will be dynamically overwritten if variable `discover_int_uid` has
+# been set to `true`.
+max_int_uid: 65533
+
 # This can be used to configure other keys in auditd.conf
 rhel8cis_auditd_extra_conf: {}
 # Example:

handlers/main.yml

@@ -74,7 +74,7 @@
       state: restarted
 
 - name: Rebuild_grub
-  ansible.builtin.shell: "grub2-mkconfig -o {{ discovered_grub_cfg.stat.lnk_source }}"
+  ansible.builtin.shell: "grub2-mkconfig -o {{ prelim_grub_cfg.stat.lnk_source }}"
   ignore_errors: true  # noqa ignore-errors
   notify: Change_requires_reboot
   tags:

tasks/prelim.yml

@@ -16,23 +16,40 @@
   ansible.builtin.shell: >
       grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
   changed_when: false
-  register: discovered_interactive_usernames
+  register: prelim_interactive_usernames
 
 - name: "PRELIM | AUDIT | Interactive User accounts home directories"
   tags:
       - always
   ansible.builtin.shell: >
       grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $6 }'
   changed_when: false
-  register: discovered_interactive_users_home
+  register: prelim_interactive_users_home
 
 - name: "PRELIM | AUDIT | Interactive UIDs"
   tags:
       - always
   ansible.builtin.shell: >
       grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
   changed_when: false
-  register: discovered_interactive_uids
+  register: prelim_interactive_uids
+
+- name: "PRELIM | Discover Interactive UID MIN and MIN from logins.def"
+  block:
+      - name: "PRELIM | Capture UID_MIN information from logins.def"
+        ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: prelim_uid_min_id
+
+      - name: "PRELIM | Capture UID_MAX information from logins.def"
+        ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
+        changed_when: false
+        register: prelim_uid_max_id
+
+      - name: "PRELIM | set_facts for interactive uid/gid"
+        ansible.builtin.set_fact:
+            min_int_uid: "{{ prelim_uid_min_id.stdout }}"
+            max_int_uid: "{{ prelim_uid_max_id.stdout }}"
 
 - name: "PRELIM | AUDIT | Set facts based on boot type"
   tags:
@@ -41,17 +58,17 @@
       - name: "PRELIM | AUDIT | Check whether machine is UEFI-based"
         ansible.builtin.stat:
             path: /sys/firmware/efi
-        register: discovered_efi_boot
+        register: prelim_efi_boot
 
       - name: "PRELIM | AUDIT | set legacy boot and grub path fact | Bios"
-        when: not discovered_efi_boot.stat.exists
+        when: not prelim_efi_boot.stat.exists
         ansible.builtin.set_fact:
             rhel8cis_legacy_boot: true
             grub2_path: /etc/grub2.cfg
             rhel8cis_boot_path: /boot/grub2/
 
       - name: "PRELIM | AUDIT | set grub fact | UEFI"
-        when: discovered_efi_boot.stat.exists
+        when: prelim_efi_boot.stat.exists
         ansible.builtin.set_fact:
             grub2_path: /etc/grub2-efi.cfg
             rhel8cis_boot_path: "/boot/efi/EFI/{{ansible_facts.distribution | lower }}/"
@@ -62,7 +79,7 @@
   ansible.builtin.stat:
       path: "{{ grub2_path }}"
   changed_when: false
-  register: discovered_grub_cfg
+  register: prelim_grub_cfg
 
 - name: "PRELIM | AUDIT | Gather the package facts before prelim"
   tags:
@@ -106,8 +123,8 @@
       - always
   ansible.builtin.shell: findmnt -kn /dev/shm
   changed_when: false
-  failed_when: discovered_dev_shm_present.rc not in [ 0, 1 ]
-  register: discovered_dev_shm_present
+  failed_when: prelim_dev_shm_present.rc not in [ 0, 1 ]
+  register: prelim_dev_shm_present
 
 - name: "PRELIM | AUDIT | systemd coredump file check"
   when:
@@ -116,7 +133,7 @@
       - always
   ansible.builtin.stat:
       path: /etc/systemd/coredump.conf
-  register: discovered_systemd_coredump
+  register: prelim_systemd_coredump
 
 - name: "PRELIM | AUDIT | Ensure crypto-policies-scripts package is installed"
   when: "'crypto-policies-scripts' not in ansible_facts.packages"
@@ -134,16 +151,16 @@
         ansible.builtin.shell: 'update-crypto-policies --show'
         changed_when: false
         check_mode: false
-        register: discovered_system_wide_crypto_policy
+        register: prelim_system_wide_crypto_policy
 
       - name: "PRELIM | AUDIT | Gather system-wide crypto-policy | set fact for crypto policy"
         ansible.builtin.set_fact:
-            current_crypto_policy: "{{ discovered_system_wide_crypto_policy.stdout.split(':')[0] }}"
+            current_crypto_policy: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[0] }}"
 
       - name: "PRELIM | AUDIT | Gather system-wide crypto-policy module | set fact for crypto submodule"
-        when: "':' in discovered_system_wide_crypto_policy.stdout"
+        when: "':' in prelim_system_wide_crypto_policy.stdout"
         ansible.builtin.set_fact:
-            current_crypto_module: "{{ discovered_system_wide_crypto_policy.stdout.split(':')[1] }}"
+            current_crypto_module: "{{ prelim_system_wide_crypto_policy.stdout.split(':')[1] }}"
 
 - name: "PRELIM | PATCH | Install dconf if gui"
   when:
@@ -174,7 +191,7 @@
   changed_when: false
   failed_when: false
   check_mode: false
-  register: discovered_sudoers_files
+  register: prelim_sudoers_files
 
 - name: "PRELIM | AUDIT | Check authselect package versions"
   tags:
@@ -234,7 +251,7 @@
   ansible.builtin.shell: >
       grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
   changed_when: false
-  register: discovered_interactive_users_home
+  register: prelim_interactive_users_home
 
 - name: "PRELIM | PATCH | Section 5.1 | Configure System Accounting (auditd)"
   when:
@@ -249,8 +266,8 @@
 - name: "PRELIM | AUDIT | 5.2.4.x | Ensure audit log files are mode 0640 or less permissive | discover file"
   ansible.builtin.shell: "grep ^log_file /etc/audit/auditd.conf | awk '{ print $NF }'"
   changed_when: false
-  failed_when: discovered_audit_logfile.rc not in [0, 1]
-  register: discovered_audit_logfile
+  failed_when: prelim_audit_logfile.rc not in [0, 1]
+  register: prelim_audit_logfile
   when:
       - rhel8cis_rule_5_2_4_1
       - rhel8cis_rule_5_2_4_2
@@ -284,18 +301,18 @@
       file_type: file
       recurse: true
       patterns: '*.conf,*.rules'
-  register: discovered_auditd_conf_files
+  register: prelim_auditd_conf_files
 
 - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
   when:
       - rhel8cis_rule_6_2_9
   tags:
       - always
   ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit 1}'"
-  failed_when: discovered_uid_zero_accounts_except_root.rc not in [ 0, 1 ]
+  failed_when: prelim_uid_zero_accounts_except_root.rc not in [ 0, 1 ]
   changed_when: false
   check_mode: false
-  register: discovered_uid_zero_accounts_except_root
+  register: prelim_uid_zero_accounts_except_root
 
 ##### Optional #####
 
@@ -322,11 +339,11 @@
       - name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening | Check existence"
         ansible.builtin.shell: grep -E "OPTIONS=.*-4" /etc/sysconfig/chronyd
         changed_when: false
-        failed_when: discovered_chrony_ipv6_exists.rc not in [ 0, 1]
-        register: discovered_chrony_ipv6_exists
+        failed_when: prelim_chrony_ipv6_exists.rc not in [ 0, 1]
+        register: prelim_chrony_ipv6_exists
 
       - name: "PRELIM | Optional | If IPv6 disable to stop chronyd listening"
-        when: discovered_chrony_ipv6_exists.stdout | length == 0
+        when: prelim_chrony_ipv6_exists.stdout | length == 0
         ansible.builtin.lineinfile:
             path: /etc/sysconfig/chronyd
             regexp: '^OPTIONS="(?!.* -4.*)(.*)"'

tasks/section_1/cis_1.1.2.2.x.yml

@@ -18,12 +18,12 @@
   block:
 
       - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Absent"
-        when: discovered_dev_shm_present is undefined
+        when: prelim_dev_shm_present is undefined
         ansible.builtin.debug:
             msg: "Warning!! {{ required_mount }} is not mounted on a separate partition"
 
       - name: "1.1.2.2.1 | PATCH | Ensure /dev/shm is a separate partition | Present"
-        when: discovered_dev_shm_present is undefined
+        when: prelim_dev_shm_present is undefined
         ansible.builtin.import_tasks:
             file: warning_facts.yml
 
@@ -32,7 +32,7 @@
           1.1.2.2.3 | PATCH | Ensure nosuid option set on /dev/shm partition
           1.1.2.2.4 | PATCH | Ensure noexec option set on /dev/shm partition"
   when:
-      - discovered_dev_shm_present is defined
+      - prelim_dev_shm_present is defined
       - rhel8cis_rule_1_1_2_2_2 or
         rhel8cis_rule_1_1_2_2_3 or
         rhel8cis_rule_1_1_2_2_4

tasks/section_1/cis_1.3.x.yml

@@ -24,8 +24,8 @@
 - name: "1.3.2 | PATCH | Ensure permissions on bootloader config are configured"
   when:
       - rhel8cis_rule_1_3_2
-      - discovered_grub_cfg.stat.exists
-      - discovered_grub_cfg.stat.islnk
+      - prelim_grub_cfg.stat.exists
+      - prelim_grub_cfg.stat.islnk
   tags:
       - level1-server
       - level1-workstation

tasks/section_1/cis_1.4.x.yml

@@ -66,7 +66,7 @@
 - name: "1.4.4 | PATCH | Ensure core dump storage is disabled"
   when:
       - rhel8cis_rule_1_4_4
-      - discovered_systemd_coredump.stat.exists
+      - prelim_systemd_coredump.stat.exists
   tags:
       - level1-server
       - level1-workstation

tasks/section_1/cis_1.6.x.yml

@@ -18,15 +18,15 @@
 
       - name: "1.6.1 | PATCH | Ensure system-wide crypto policy is not legacy"
         when:
-            - rhel8cis_full_crypto_policy not in discovered_system_wide_crypto_policy.stdout
+            - rhel8cis_full_crypto_policy not in prelim_system_wide_crypto_policy.stdout
         ansible.builtin.shell: |
             update-crypto-policies --set "{{ rhel8cis_full_crypto_policy }}"
             update-crypto-policies
 
 - name: "1.6.2 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support"
   when:
       - rhel8cis_rule_1_6_2
-      - "'NO-SHA1' not in discovered_system_wide_crypto_policy.stdout"
+      - "'NO-SHA1' not in prelim_system_wide_crypto_policy.stdout"
   tags:
       - level1-server
       - level1-workstation
@@ -47,7 +47,7 @@
 - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables cbc for ssh"
   when:
       - rhel8cis_rule_1_6_3
-      - "'NO-SSHCBC' not in discovered_system_wide_crypto_policy.stdout"
+      - "'NO-SSHCBC' not in prelim_system_wide_crypto_policy.stdout"
   tags:
       - level1-server
       - level1-workstation
@@ -68,7 +68,7 @@
 - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits"
   when:
       - rhel8cis_rule_1_6_4
-      - "'NO-WEAKMAC' not in discovered_system_wide_crypto_policy.stdout"
+      - "'NO-WEAKMAC' not in prelim_system_wide_crypto_policy.stdout"
   tags:
       - level1-server
       - level1-workstation

tasks/section_4/cis_4.3.x.yml

@@ -64,7 +64,7 @@
       regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
       replace: '\1PASSWD\2'
       validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ discovered_sudoers_files.stdout_lines }}"
+  loop: "{{ prelim_sudoers_files.stdout_lines }}"
 
 - name: "4.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when:
@@ -82,7 +82,7 @@
       regexp: '^([^#].*)!authenticate(.*)'
       replace: '\1authenticate\2'
       validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ discovered_sudoers_files.stdout_lines }}"
+  loop: "{{ prelim_sudoers_files.stdout_lines }}"
 
 - name: "4.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
   when:

tasks/section_4/cis_4.5.2.x.yml

@@ -53,7 +53,7 @@
   block:
       - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Set nologin"
         when:
-            - item.id not in discovered_interactive_usernames.stdout
+            - item.id not in prelim_interactive_usernames.stdout
             - "'root' not in item.id"
         ansible.builtin.user:
             name: "{{ item.id }}"
@@ -64,7 +64,7 @@
 
       - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts"
         when:
-            - "item.id not in discovered_interactive_usernames.stdout"
+            - "item.id not in prelim_interactive_usernames.stdout"
             - "'root' not in item.id"
         ansible.builtin.user:
             name: "{{ item.id }}"

tasks/section_5/cis_5.2.4.x.yml

@@ -10,7 +10,7 @@
       - auditd
       - rule_5.2.4.1
   ansible.builtin.file:
-      path: "{{ discovered_audit_logfile.stdout | dirname }}"
+      path: "{{ prelim_audit_logfile.stdout | dirname }}"
       state: directory
       mode: 'g-w,o-rwx'
 
@@ -33,7 +33,7 @@
   block:
       - name: "5.2.4.2 | AUDIT | Ensure audit log files are mode 0640 or less permissive | stat file"
         ansible.builtin.stat:
-            path: "{{ discovered_audit_logfile.stdout }}"
+            path: "{{ prelim_audit_logfile.stdout }}"
         changed_when: false
         register: discovered_auditlog_info
 
@@ -42,7 +42,7 @@
             "5.2.4.3 | PATCH | Ensure only authorized users own audit log files"
             "5.2.4.4 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
         ansible.builtin.file:
-            path: "{{ discovered_audit_logfile.stdout }}"
+            path: "{{ prelim_audit_logfile.stdout }}"
             mode: 'o-x,g-wx,o-rwx'
             owner: root
             group: root
@@ -59,7 +59,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       mode: 'g-wx,o-rwx'
-  loop: "{{ discovered_auditd_conf_files.files }}"
+  loop: "{{ prelim_auditd_conf_files.files }}"
   loop_control:
       label: "{{ item.path }}"
 
@@ -75,7 +75,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       owner: root
-  loop: "{{ discovered_auditd_conf_files.files }}"
+  loop: "{{ prelim_auditd_conf_files.files }}"
   loop_control:
       label: "{{ item.path }}"
 
@@ -91,7 +91,7 @@
   ansible.builtin.file:
       path: "{{ item.path }}"
       group: root
-  loop: "{{ discovered_auditd_conf_files.files }}"
+  loop: "{{ prelim_auditd_conf_files.files }}"
   loop_control:
       label: "{{ item.path }}"