---
- name: Add or modify the scan user for use by the Nessus scanner (ONLY if ansible_facts.system=='Linux')
  hosts: all
  gather_facts: true
  become: True
  tasks:

  - name: Create a group "sshprohibitpasswd"
    group:
      name: sshprohibitpasswd
      state: present
#        local: true
      system: true
#        gid: 967  <-- gid 967 is already in use by many systems
    when: ansible_facts.system == 'Linux'

  - name: Add or modify the the scan user
    user:
      name: scan
      state: present
      system: true
      comment: "user for internal security scans"
      create_home: true
#        local: true
#        group: scan <-- "Group scan does not exist"
      groups: sshprohibitpasswd
      shell: "/bin/bash"
#        uid: 968 <-- can't predict which systems are already using this UID
#10-02-2024: New scan user passwrod created and stored by cmiloro
      password: "$6$00000000$00000000000000000000000000000000000000000000000000000000000000000000000000000000000000"
      update_password: always
      password_lock: false
      expires: -1
      password_expire_max: 99999
      password_expire_min: 0
    when: ansible_facts.system == 'Linux'

  - name: Add the public keys for scan to the user scan
    authorized_key:
      user: scan
      manage_dir: true
      state: present
      key: '{{ item }}'
    with_file:
      - include/scan_user/id_rsa.pub
      - include/scan_user/id_ed25519.pub
    when: ansible_facts.system == 'Linux'

  - name: Add the scan user to the sudoers file (ALL commands, password Required) and validate
    sudoers:
      host: ALL
      name: "Allow the scan user to run commands using sudo"
      user: scan
      commands: ALL
      state: present
      nopassword: false
      validation: detect
    when: ansible_facts.system == 'Linux'

  - name: Enable public key authentication within /etc/ssh/sshd_config, backing file up if a change is made, and validate
    lineinfile:
      path: /etc/ssh/sshd_config
      regexp: '^#PubkeyAuthentication yes'
      line: PubkeyAuthentication yes
      state: present
      backup: yes
      validate: 'sshd -t -f %s'
    when: ansible_facts.system == 'Linux'

  - name: Ensure scan account has nothing locking it
    shell:  |
      usermod -U scan
      usermod -e "" scan
      chage -E -1 scan
      chage -I -1 scan
      exit 0
    args:
      executable: /bin/bash
    when: ansible_facts.system == 'Linux'