added improvement to 5.2.4

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

defaults/main.yml

@@ -899,6 +899,13 @@ ubtu24cis_sudo_package: "sudo"
 ## Control 5.2.3
 # This variable defines the path and file name of the sudo log file.
 ubtu24cis_sudo_logfile: "/var/log/sudo.log"
+
+## control 5.2.4 sudoers NOPASSWD
+# This will leave NOPASSWD intact for these users
+ubtu24cis_sudoers_exclude_nopasswd_list:
+  - ec2-user
+  - vagrant
+
 ##  Control 5.2.6
 # This variable sets the duration (in minutes) during which a user's authentication credentials
 # are cached after successfully authenticating using "sudo". This allows the user to execute

tasks/section_5/cis_5.2.x.yml

@@ -57,12 +57,22 @@
     - sudo
     - rule_5.2.4
     - NIST800-53R5_AC-6
-  ansible.builtin.replace:
-    path: "{{ item }}"
-    regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
-    replace: '\1PASSWD\2'
-    validate: '/usr/sbin/visudo -cf %s'
-  loop: "{{ prelim_sudoers_files.stdout_lines }}"
+  block:
+    - name: "5.2.4 | AUDIT | Ensure users must provide password for escalation | discover accts with NOPASSWD"
+      ansible.builtin.shell: grep -Ei '(nopasswd)' /etc/sudoers /etc/sudoers.d/* | cut -d':' -f1
+      become: true
+      changed_when: false
+      failed_when: false
+      register: discovered_sudoers_nopasswd
+
+    - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
+      when: discovered_sudoers_nopasswd.stdout | length > 0
+      ansible.builtin.replace:
+        path: "{{ item }}"
+        regexp: '^((?!#|{% for name in ubtu24cis_sudoers_exclude_nopasswd_list %}{{ name }}{% if not loop.last -%}|{%- endif -%}{% endfor %}).*)NOPASSWD(.*)'
+        replace: '\1PASSWD\2'
+        validate: '/usr/sbin/visudo -cf %s'
+      loop: "{{ discovered_sudoers_nopasswd.stdout_lines }}"
 
 - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
   when: