Fixed issues with 4.1.1.2 and 4.1.1.3

Now handle multiple kernels and are idempotent

Signed-off-by: John Foster <robopickle@proton.me>

tasks/section_4/cis_4.1.1.x.yml

@@ -25,16 +25,22 @@
 - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
   block:
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby existence of current value"
-        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
+        ansible.builtin.shell: grubby --info=ALL | grep args | sed -n 's/.*audit=\([[:alnum:]]\+\).*/\1/p'
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel9cis_4_1_1_2_grubby_curr_value_audit_linux
 
+      - name: Show list
+        ansible.builtin.debug:
+            msg: "var: \n{{ rhel9cis_4_1_1_2_grubby_curr_value_audit_linux }}"
+
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Grubby update, if needed"
         ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
         when:
-            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux | int != 1
+            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout == '' or
+              '0' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout or
+              'off' in rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout|lower
   when:
       - rhel9cis_rule_4_1_1_2
   tags:
@@ -48,16 +54,36 @@
 - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
   block:
       - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby existence of current value"
-        ansible.builtin.shell: grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"
+        ansible.builtin.shell:
+            cmd: 'grubby --info=ALL | grep args | grep -o -E "audit_backlog_limit=([[:digit:]])+" | grep -o -E "([[:digit:]])+"'
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux
 
-      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update, if needed"
+      - name: "4.1.1.3 | AUDIT | Check to see if limits are set"
-        ansible.builtin.shell: grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"
+        ansible.builtin.set_fact:
+            rhel9cis_4_1_1_3_reset_backlog_limits: true
         when:
-            - rhel9cis_4_1_1_2_grubby_curr_value_audit_linux is not defined or rhel9cis_4_1_1_2_grubby_curr_value_audit_linux.stdout | int < rhel9cis_audit_back_log_limit
+            - rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux is not defined or
+              rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines == []
+
+      - name: "4.1.1.3 | AUDIT | Check to see if any limits are too low"
+        ansible.builtin.set_fact:
+            rhel9cis_4_1_1_3_reset_backlog_limits: true
+        when:
+            - (item | int < rhel9cis_audit_back_log_limit)
+        loop: "{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux.stdout_lines }}"
+
+      - name: Show list
+        ansible.builtin.debug:
+            msg: "var: \n{{ rhel9cis_4_1_1_3_grubby_curr_value_backlog_linux }}\ntrigger reset: {{ rhel9cis_4_1_1_3_reset_backlog_limits | default(false)}}"
+
+      - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
+        ansible.builtin.shell:
+            cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
+        when:
+            - rhel9cis_4_1_1_3_reset_backlog_limits is defined
   when:
       - rhel9cis_rule_4_1_1_3
   tags: