---

#STIG Items RHEL8 V1R9 STIG

##
- name: RHEL8 initial
hosts: all
become: yes
tasks:
- name: List root and regular users with /bin/bash shell
shell: "getent passwd | awk -F: '($3 >= 0 && $3 <= 6000 && $7 ==
\"/bin/bash\") { print $1 }'"
register: users
- name: Debug the list of users
debug:
var: users.stdout_lines

- name: Find initialization files in user home directories

find:
paths: "/home/{{ item }}"
patterns: ".*"
file_type: file
hidden: yes
register: init_files
loop: "{{ users.stdout_lines }}"

- name: Debug the find results

debug:
var: init_files.results

- name: Set permissions for initialization files in user home directories

find:
paths: "/home/{{ item }}"
patterns: ".*"
file_type: file
hidden: yes
register: init_files
loop: "{{ users.stdout_lines }}"

- name: Correct file permissions

file:
path: "{{ item.path }}"
mode: '0740'
loop: "{{ init_files.results | map(attribute='files') | flatten }}"

- name: Ensure Tmux is installed

yum:
name: tmux
state: present
ignore_errors: yes
#tmux initialization script
- name: transfer and execute tmux script[JS1]
copy:
# src: tmuxstig.sh.j2
# this line does not work even though the script is located in templats on
8
src: /etc/profile.d/tmuxstig.sh
dest: '/etc/profile.d/'
mode: '0755'
ignore_errors: yes
 - name: Insert/update NTP settings in chrony.conf
lineinfile:
path: /etc/chrony.conf
state: present
insertafter: 'server 0.rhel.pool.ntp.org iburst maxpoll 10'
line: port 0

- name: Insert/update NTP settings in chrony.conf cmdport

lineinfile:
path: /etc/chrony.conf
state: present
insertafter: 'port 0'
line: 'cmdport 0'

- name: Check if PAM password history line exists in system-auth

command: grep -q 'password\s\+requisite\s\+pam_pwhistory\.so\s\+use_authtok\
s\+remember=5\s\+retry=3' /etc/pam.d/system-auth
register: grep_system_auth
changed_when: false

- name: Add pam_pwhistory line after the last pam_unix.so in system-auth if it

does not exist
blockinfile:
path: /etc/pam.d/system-auth
marker: "# {mark} ANSIBLE MANAGED BLOCK AFTER PAM_UNIX"
block: |
password requisite
pam_pwhistory.so use_authtok remember=5 retry=3
backup: yes
when: grep_system_auth.rc != 0[JS2]

- name: Check if PAM password history line exists in password-auth

command: grep -q 'password\s\+requisite\s\+pam_pwhistory\.so\s\+use_authtok\
s\+remember=5\s\+retry=3' /etc/pam.d/password-auth
register: grep_password_auth
changed_when: false

- name: Add pam_pwhistory line after the last pam_unix.so [JS3]in password-auth
if it does not exist
blockinfile:
path: /etc/pam.d/password-auth
marker: "# {mark} ANSIBLE MANAGED BLOCK AFTER PAM_UNIX"
block: |
password requisite
pam_pwhistory.so use_authtok remember=5 retry=3[JS4]
backup: yes
when: grep_password_auth.rc != 0

[JS1]This is where I get my FIRST error it is actually on ansible control node

server/ its the ansible control server, the run running the playbook itself where i
get this error: fatal: servername: FAILED! => {"changed": false, "msg": "Failed to
download metadata for repo 'Centrify_xxxx': Cannot download repomd.xml: Cannot
download repodata/repomd.xml: All mirrors were tried", "rc": 1, "results": []}
[JS2]Why is this skipped?
[JS3]This is in document Multiple times I want to ensure it is added after LAST
occurance will this work?
[JS4]This document is very particular about spacing will this get spacing rignt?