---

#STIG Items RHEL8 V1R9 STIG

##
- name: RHEL8 initial
hosts: all
become: yes
tasks:
- name: List root and regular users with /bin/bash shell
shell: "getent passwd | awk -F: '($3 >= 0 && $3 <= 6000 && $7
== \"/bin/bash\") { print $1 }'"
register: users
- name: Debug the list of users
debug:
var: users.stdout_lines

- name: Find initialization files in user home directories

find:
paths: "/home/{{ item }}"
patterns: ".*"
file_type: file
hidden: yes
register: init_files
loop: "{{ users.stdout_lines }}"

- name: Debug the find results

debug:
var: init_files.results

- name: Set permissions for initialization files in user home

directories
find:
paths: "/home/{{ item }}"
patterns: ".*"
file_type: file
hidden: yes
register: init_files
loop: "{{ users.stdout_lines }}"

- name: Correct file permissions

file:
path: "{{ item.path }}"
mode: '0740'
loop: "{{ init_files.results | map(attribute='files') | flatten }}"

- name: Ensure Tmux is installed

yum:
name: tmux
state: present
ignore_errors: yes
#tmux initialization script
- name: transfer and execute tmux script[JS1]
copy:
# src: tmuxstig.sh.j2
# this line does not work even though the script is located in
templats on 8
src: /etc/profile.d/tmuxstig.sh
dest: '/etc/profile.d/'
mode: '0755'
ignore_errors: yes

- name: Insert/update NTP settings in chrony.conf

lineinfile:
path: /etc/chrony.conf
state: present
insertafter: 'server 0.rhel.pool.ntp.org iburst maxpoll 10'
line: port 0

- name: Insert/update NTP settings in chrony.conf cmdport

lineinfile:
path: /etc/chrony.conf
state: present
insertafter: 'port 0'
line: 'cmdport 0'

- name: Check if PAM password history line exists in system-auth

command: grep -q 'password\s\+requisite\s\+pam_pwhistory\.so\s\
+use_authtok\s\+remember=5\s\+retry=3' /etc/pam.d/system-auth
register: grep_system_auth
changed_when: false

- name: Add pam_pwhistory line after the last pam_unix.so in system-

auth if it does not exist
blockinfile:
path: /etc/pam.d/system-auth
marker: "# {mark} ANSIBLE MANAGED BLOCK AFTER PAM_UNIX"
block: |
password requisite
pam_pwhistory.so use_authtok remember=5 retry=3
backup: yes
when: grep_system_auth.rc != 0[JS2]

- name: Check if PAM password history line exists in password-auth

command: grep -q 'password\s\+requisite\s\+pam_pwhistory\.so\s\
+use_authtok\s\+remember=5\s\+retry=3' /etc/pam.d/password-auth
register: grep_password_auth
changed_when: false

- name: Add pam_pwhistory line after the last pam_unix.so [JS3]in

password-auth if it does not exist
blockinfile:
path: /etc/pam.d/password-auth
marker: "# {mark} ANSIBLE MANAGED BLOCK AFTER PAM_UNIX"
block: |
password requisite
pam_pwhistory.so use_authtok remember=5 retry=3[JS4]
backup: yes
 when: grep_password_auth.rc != 0

[JS1]This is where I get my FIRST error it is actually on ansible control

node server/ its the ansible control server, the run running the playbook
itself where i get this error: fatal: servername: FAILED! => {"changed":
false, "msg": "Failed to download metadata for repo 'Centrify_xxxx':
Cannot download repomd.xml: Cannot download repodata/repomd.xml: All
mirrors were tried", "rc": 1, "results": []}
[JS2]Why is this skipped?
[JS3]This is in document Multiple times I want to ensure it is added
after LAST occurance will this work?
[JS4]This document is very particular about spacing will this get spacing
rignt?