---

- name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
  when: ubtu24cis_rule_2_4_2_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_2.4.2.1
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
    - cron
  block:
    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Remove at.deny"
      ansible.builtin.file:
        path: /etc/at.deny
        state: absent

    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Check for at.allow"
      ansible.builtin.stat:
        path: /etc/at.allow
      register: discovered_at_allow_status

    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | Create at.allow if doesn't exist"
      when: not discovered_at_allow_status.stat.exists
      ansible.builtin.file:
        path: /etc/at.allow
        owner: root
        group: root
        mode: 'u-x,g-wx,o-rwx'
        state: touch

    - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users | update at.allow if exists"
      when: discovered_at_allow_status.stat.exists
      ansible.builtin.file:
        path: /etc/at.allow
        owner: root
        group: root
        mode: 'u-x,g-wx,o-rwx'