---

- name: "7.1.1 | PATCH | Ensure permissions on /etc/passwd are configured"
  when: ubtu24cis_rule_7_1_1
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.1
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/passwd
    owner: root
    group: root
    mode: 'u-x,go-wx'

- name: "7.1.2 | PATCH | Ensure permissions on /etc/passwd- are configured"
  when: ubtu24cis_rule_7_1_2
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.2
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/passwd-
    owner: root
    group: root
    mode: 'u-x,go-wx'

- name: "7.1.3 | PATCH | Ensure permissions on /etc/group are configured"
  when: ubtu24cis_rule_7_1_3
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.3
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/group
    owner: root
    group: root
    mode: 'u-x,go-wx'

- name: "7.1.4 | PATCH | Ensure permissions on /etc/group- are configured"
  when: ubtu24cis_rule_7_1_4
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissionss
    - rule_7.1.4
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/group-
    owner: root
    group: root
    mode: 'u-x,go-wx'

- name: "7.1.5 | PATCH | Ensure permissions on /etc/shadow are configured"
  when:
    - ubtu24cis_rule_7_1_5
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.5
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/shadow
    owner: root
    group: root
    mode: 'u-x,g-wx,o-rwx'

- name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
  when: ubtu24cis_rule_7_1_6
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.6
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/shadow-
    owner: root
    group: root
    mode: 'u-x,g-wx,o-rwx'

- name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
  when: ubtu24cis_rule_7_1_7
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.7
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/gshadow
    owner: root
    group: root
    mode: 'u-x,g-wx,o-rwx'

- name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
  when: ubtu24cis_rule_7_1_8
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.8
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/gshadow-
    owner: root
    group: root
    mode: 'u-x,g-wx,o-rwx'

- name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
  when: ubtu24cis_rule_7_1_9
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.9
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: /etc/shells
    owner: root
    group: root
    mode: 'u-x,go-wx'

- name: "7.1.10 | PATCH | Ensure permissions on /etc/security/opasswd are configured"
  when: ubtu24cis_rule_7_1_10
  tags:
    - level1-server
    - level1-workstation
    - patch
    - permissions
    - rule_7.1.10
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.file:
    path: "{{ item }}"
    owner: root
    group: root
    mode: 'u-x,go-rwx'
  failed_when: discovered_file_exists.state not in '[ file, absent ]'
  register: discovered_file_exists
  loop:
    - /etc/security/opasswd
    - /etc/security/opasswd.old

- name: "7.1.11 | PATCH | Ensure world writable files and directories are secured"
  when: ubtu24cis_rule_7_1_11
  tags:
    - level1-server
    - level1-workstation
    - patch
    - files
    - permissions
    - rule_7.1.11
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  block:
    - name: "7.1.11 | AUDIT | Ensure world writable files and directories are secured | Get list of world-writable files"
      ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type f -perm -0002
      failed_when: false
      changed_when: false
      register: discovered_worldwriteable_files

    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | Adjust world-writable files if they exist (Configurable)"
      when:
        - discovered_worldwriteable_files.stdout_lines is defined
        - ubtu24cis_no_world_write_adjust
      ansible.builtin.file:
        path: '{{ item }}'
        mode: 'o-w'
        state: touch
      loop: "{{ discovered_worldwriteable_files.stdout_lines }}"

    - name: "7.1.11 | PATCH | Ensure world writable files and directories are secured | sticky bit set on world-writable directories"
      ansible.builtin.shell: df --local -P | awk {'if (NR!=1) print $6'} | xargs -I '{}' find '{}' -xdev -type d -perm -0002 2>/dev/null | xargs chmod a+t
      changed_when: false
      failed_when: false

- name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist"
  when: ubtu24cis_rule_7_1_12
  tags:
    - level1-server
    - level1-workstation
    - patch
    - rule_7.1.12
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
    - permissions
  vars:
    warn_control_id: '7.1.12'
  block:
    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
      ansible.builtin.command: find {{ ubtu24cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_unowned_files
      with_items:
        - "{{ ansible_facts.mounts }}"
      loop_control:
        label: "{{ item.mount }}"

    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Flatten no_user_items results for easier use"
      ansible.builtin.set_fact:
        discovered_unowned_files_flatten: "{{ discovered_unowned_files.results | map(attribute='stdout_lines') | flatten }}"

    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Alert on unowned files and directories"
      when:
        - not ubtu24cis_ownership_adjust
        - discovered_unowned_files_flatten | length > 0
      ansible.builtin.debug:
        msg:
          - "Warning!! You have unowned files and are configured to not auto-remediate for this task"
          - "Please review the files/directories below and assign an owner"
          - "{{ discovered_unowned_files_flatten }}"

    - name: "7.1.12 | PATCH | Ensure no files or directories without an owner and a group exist | Set files/directories to configured owner and group"
      when:
        - ubtu24cis_ownership_adjust
        - discovered_unowned_files_flatten | length > 0
      ansible.builtin.file:
        path: "{{ item }}"
        owner: "{{ ubtu24cis_unowned_owner }}"
        group: "{{ ubtu24cis_unowned_group }}"
      with_items:
        - "{{ udiscovered_unowned_files_flatten }}"

    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Warn Count"
      when:
        - not ubtu24cis_ownership_adjust
        - discovered_unowned_files_flatten | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

- name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed"
  when: ubtu24cis_rule_7_1_13
  tags:
    - level1-server
    - level1-workstation
    - audit
    - rule_7.1.13
    - NIST800-53R5_AC-3
    - NIST800-53R5_CM-1
    - NIST800-53R5_CM-2
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
    - NIST800-53R5_MP-2
    - permissions
  vars:
    warn_control_id: '7.1.13'
  block:
    - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
      register: discovered_suid_sgid_files
      with_items:
        - "{{ ansible_facts.mounts }}"
      loop_control:
        label: "{{ item.mount }}"

    - name: "7.1.13 | AUDIT | Audit SUID executables | Flatten suid_executables results for easier use"
      ansible.builtin.set_fact:
        discovered_suid_sgid_files_flatten: "{{ discovered_suid_sgid_files.results | map(attribute='stdout_lines') | flatten }}"

    - name: "7.1.13 | AUDIT | Audit SUID executables | Alert SUID executables exist"
      when:
        - discovered_suid_sgid_files_flatten | length > 0
        - not ubtu24cis_suid_sgid_adjust
      ansible.builtin.debug:
        msg:
          - "Warning!! You have SUID executables"
          - "The files are listed below, please confirm the integrity of these binaries"
          - "{{ discovered_suid_sgid_files_flatten }}"

    - name: "7.1.13 | PATCH | Audit SUID executables | Remove SUID bit"
      when:
        - ubtu24cis_suid_sgid_adjust
        - discovered_suid_sgid_files_flatten | length > 0
      ansible.builtin.file:
        path: "{{ item }}"
        mode: 'u-s'
      with_items:
        - "{{ discovered_suid_sgid_files_flatten }}"

    - name: "7.1.13 | AUDIT | Audit SUID executables | Warn Count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      when:
        - discovered_suid_sgid_files_flatten | length > 0
        - not ubtu24cis_suid_sgid_adjust