$ sudo chmod 0600 /home/USER/.bash_history

#!/bin/bash

readarray -t interactive_users < <(awk -F: '$3>=1000   {print $1}' /etc/passwd)
readarray -t interactive_users_home < <(awk -F: '$3>=1000   {print $6}' /etc/passwd)
readarray -t interactive_users_shell < <(awk -F: '$3>=1000   {print $7}' /etc/passwd)

USERS_IGNORED_REGEX='nobody|nfsnobody'

for (( i=0; i<"${#interactive_users[@]}"; i++ )); do
    if ! grep -qP "$USERS_IGNORED_REGEX" <<< "${interactive_users[$i]}" && \
        [ "${interactive_users_shell[$i]}" != "/sbin/nologin" ]; then

        chmod u-sx,go= "${interactive_users_home[$i]}/.bash_history"
    fi
done

- name: Ensure User Bash History File Has Correct Permissions - Gather User Info
  ansible.builtin.getent:
    database: passwd
  tags:
  - file_permission_user_bash_history
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure User Bash History File Has Correct Permissions - Check Bash History
    Files Existence
  ansible.builtin.stat:
    path: '{{ item.value[4] }}/.bash_history'
  register: bash_history_files
  with_dict: '{{ ansible_facts.getent_passwd }}'
  when:
  - item.value[4] != "/sbin/nologin"
  - item.key not in ["nobody", "nfsnobody"]
  - item.value[1] | int >= 1000
  tags:
  - file_permission_user_bash_history
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy

- name: Ensure User Bash History File Has Correct Permissions - Fix Bash History Files
    Permissions
  ansible.builtin.file:
    path: '{{ item.stat.path }}'
    mode: u-sx,go=
  with_items: '{{ bash_history_files.results }}'
  when:
  - item.stat is defined
  - item.stat.exists
  tags:
  - file_permission_user_bash_history
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy