- name: Remove User Host-Based Authentication Files - Define Excluded (Non-Local)
File Systems and Paths
ansible.builtin.set_fact:
excluded_fstypes:
- afs
- ceph - cifs
- smb3
- smbfs
- sshfs
- ncpfs
- ncp
- nfs
- nfs4
- gfs
- gfs2
- glusterfs
- gpfs
- pvfs2
- ocfs2
- lustre
- davfs
- fuse.sshfs
excluded_paths:
- dev
- proc
- run
- sys
search_paths: []
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Find Relevant Root Directories
Ignoring Pre-Defined Excluded Paths
ansible.builtin.find:
paths: /
file_type: directory
excludes: '{{ excluded_paths }}'
hidden: true
recurse: false
register: result_relevant_root_dirs
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Include Relevant Root Directories
in a List of Paths to be Searched
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.path]) }}'
loop: '{{ result_relevant_root_dirs.files }}'
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Increment Search Paths List
with Local Partitions Mount Points
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.mount]) }}'
loop: '{{ ansible_mounts }}'
when:
- item.fstype not in excluded_fstypes
- item.mount != '/'
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Increment Search Paths List
with Local NFS File System Targets
ansible.builtin.set_fact:
search_paths: '{{ search_paths | union([item.device.split('':'')[1]]) }}'
loop: '{{ ansible_mounts }}'
when: item.device is search("localhost:")
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Define Rule Specific Facts
ansible.builtin.set_fact:
user_shosts_files:
- /.shosts
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Find All .shosts Files in Local
File Systems
ansible.builtin.command:
cmd: find {{ item }} -xdev -type f -name ".shosts"
loop: '{{ search_paths }}'
changed_when: false
register: result_found_shosts_files
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Create List of .shosts Files
Present in Local File Systems
ansible.builtin.set_fact:
user_shosts_files: '{{ user_shosts_files | union(item.stdout_lines) | list }}'
loop: '{{ result_found_shosts_files.results }}'
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
- name: Remove User Host-Based Authentication Files - Ensure No .shosts Files Are
Present in the System
ansible.builtin.file:
path: '{{ item }}'
state: absent
loop: '{{ user_shosts_files }}'
tags:
- CCE-86532-9
- DISA-STIG-RHEL-09-252075
- high_severity
- low_complexity
- low_disruption
- no_reboot_needed
- no_user_host_based_files
- restrict_strategy
Show more