Merge pull request #31 from ansible-lockdown/JUNE2025QA

June 2025 QA: Replace egrep to grep

handlers/main.yml

@@ -150,7 +150,7 @@
   ansible.posix.mount:
     path: "{{ mount_point }}"
     state: remounted
-  notify: Change_requires_reboot
+  notify: Set reboot required
   listen: "Remount /boot/efi"
 
 - name: Reload sysctl
@@ -194,7 +194,7 @@
   ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
   changed_when: true
   notify:
-    - Change_requires_reboot
+    - Set reboot required
     - Restart sshd
 
 - name: Restart firewalld
@@ -255,7 +255,7 @@
   when: discovered_auditd_immutable_check.stdout == '1'
   ansible.builtin.debug:
     msg: "Reboot required for auditd to apply new rules as immutable set"
-  notify: Change_requires_reboot
+  notify: Set reboot required
 
 - name: Stop auditd process
   ansible.builtin.command: systemctl kill auditd
@@ -268,6 +268,6 @@
     state: started
   listen: Restart auditd
 
-- name: Change_requires_reboot
+- name: Set reboot required
   ansible.builtin.set_fact:
     change_requires_reboot: true

tasks/main.yml

@@ -17,9 +17,7 @@
     success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
 
 - name: "Setup rules if container"
-  when:
-    - ansible_connection == 'docker' or
-      ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
+  when: ansible_connection == 'docker' or ansible_facts.virtualization_type in ["docker", "lxc", "openvz", "podman", "container"]
   tags:
     - container_discovery
     - always
@@ -101,8 +99,7 @@
 
         - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert:
-            that:
-              - not prelim_ansible_user_password_set.stdout.startswith("!")
+            that: not prelim_ansible_user_password_set.stdout.startswith("!")
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} is locked - It can break access"
             success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
 
@@ -132,7 +129,7 @@
     - rule_5.4.2.4
   block:
     - name: "Ensure root password is set"
-      ansible.builtin.shell: passwd -S root | egrep -e "(Password set, SHA512 crypt|Password locked)"
+      ansible.builtin.shell: passwd -S root | grep -E "(Password set, SHA512 crypt|Password locked)"
       changed_when: false
       register: prelim_root_passwd_set
 

tasks/pre_remediation_audit.yml

@@ -1,4 +1,5 @@
 ---
+
 - name: Pre Audit Setup | Setup the LE audit
   when: setup_audit
   tags: setup_audit
@@ -46,7 +47,7 @@
     remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
     extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
 
-- name: Pre Audit Setup | Check Goss is available
+- name: Pre Audit Setup | Check goss is available
   when: run_audit
   block:
     - name: Pre Audit Setup | Check for goss file

tasks/prelim.yml

@@ -136,8 +136,7 @@
   register: prelim_systemd_coredump
 
 - name: "PRELIM | PATCH | Setup crypto-policy"
-  when:
-    - rhel9cis_rule_1_6_1
+  when: rhel9cis_rule_1_6_1
   tags:
     - level1-server
     - level1-workstation
@@ -185,17 +184,14 @@
         grub2_path: /etc/grub2-efi.cfg
 
 - name: "PRELIM | AUDIT | Discover Gnome Desktop Environment"
-  tags:
-    - always
+  tags: always
   ansible.builtin.stat:
     path: /usr/share/gnome/gnome-version.xml
   register: prelim_gnome_present
 
 - name: "PRELIM | PATCH | Install dconf if gui installed"
-  when:
-    - rhel9cis_gui
-  tags:
-    - always
+  when: rhel9cis_gui
+  tags: always
   ansible.builtin.package:
     name: dconf
     state: present
@@ -204,8 +200,7 @@
   when:
     - rhel9cis_rule_3_1_2
     - not system_is_container
-  tags:
-    - always
+  tags: always
   block:
     - name: "PRELIM | AUDIT | Discover is wireless adapter on system"
       ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
@@ -251,9 +246,7 @@
     state: touch
 
 - name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
-  when:
-    - rhel9cis_rule_5_1_10 or
-      rhel9cis_rule_5_1_11
+  when: rhel9cis_rule_5_1_10 or rhel9cis_rule_5_1_11
   ansible.builtin.stat:
     path: /etc/ssh/sshd_config.d/50-redhat.conf
   register: prelim_sshd_50_redhat_file
@@ -281,8 +274,7 @@
 - name: "PRELIM | PATCH | Create journald config directory"
   when:
     - rhel9cis_syslog == 'journald'
-    - rhel9cis_rule_6_2_1_3 or
-      rhel9cis_rule_6_2_1_4
+    - rhel9cis_rule_6_2_1_3 or rhel9cis_rule_6_2_1_4
   tags: always
   ansible.builtin.file:
     path: /etc/systemd/journald.conf.d

tasks/section_1/cis_1.1.1.x.yml

@@ -27,8 +27,7 @@
         mode: 'go-rwx'
 
     - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
-      when:
-        - not system_is_container
+      when: not system_is_container
       community.general.modprobe:
         name: cramfs
         state: absent

tasks/section_1/cis_1.2.2.x.yml

@@ -13,4 +13,4 @@
   ansible.builtin.package:
     name: "*"
     state: latest
-  notify: Change_requires_reboot
+  notify: Set reboot required