--- - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled and running" when: ubtu24cis_rule_2_4_1_1 tags: - level1-server - level1-workstation - patch - rule_2.4.1.1 - NIST800-53R5_CM-1 - NIST800-53R5_CM-2 - NIST800-53R5_CM-6 - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 - cron ansible.builtin.systemd: name: cron state: started enabled: true - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured" when: ubtu24cis_rule_2_4_1_2 tags: - level1-server - level1-workstation - patch - rule_2.4.1.2 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron ansible.builtin.file: path: /etc/crontab owner: root group: root mode: 'go-rwx' - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured" when: ubtu24cis_rule_2_4_1_3 tags: - level1-server - level1-workstation - patch - rule_2.4.1.3 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron ansible.builtin.file: path: /etc/cron.hourly owner: root group: root mode: 'u+x,go-rwx' state: directory - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured" when: ubtu24cis_rule_2_4_1_4 tags: - level1-server - level1-workstation - patch - rule_2.4.1.4 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron ansible.builtin.file: path: /etc/cron.daily owner: root group: root mode: 'u+x,go-rwx' state: directory - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured" when: ubtu24cis_rule_2_4_1_5 tags: - level1-server - level1-workstation - patch - rule_2.4.1.5 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron ansible.builtin.file: path: /etc/cron.weekly owner: root group: root mode: 'u+x,go-rwx' state: directory - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured" when: ubtu24cis_rule_2_4_1_6 tags: - level1-server - level1-workstation - patch - rule_2.4.1.6 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron ansible.builtin.file: path: /etc/cron.monthly owner: root group: root mode: 'u+x,go-rwx' state: directory - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured" when: ubtu24cis_rule_2_4_1_7 tags: - level1-server - level1-workstation - patch - rule_2.4.1.7 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron ansible.builtin.file: path: /etc/cron.d owner: root group: root mode: 'u+x,go-rwx' state: directory - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users" when: ubtu24cis_rule_2_4_1_8 tags: - level1-server - level1-workstation - patch - rule_2.4.1.8 - NIST800-53R5_AC-3 - NIST800-53R5_MP-2 - cron block: - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Check for cron.allow" ansible.builtin.stat: path: /etc/cron.allow register: discovered_cron_allow_status - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Create cron.allow if doesn't exist" when: not discovered_cron_allow_status.stat.exists ansible.builtin.file: path: /etc/cron.allow owner: root group: root mode: 'u-x,g-wx,o-rwx' state: touch - name: "2.4.1.8 | PATCH | Ensure cron is restricted to authorized users | Update cron.allow if exists" when: discovered_cron_allow_status.stat.exists ansible.builtin.file: path: /etc/cron.allow owner: root group: root mode: 'u-x,g-wx,o-rwx'