Merge pull request #12 from ansible-lockdown/lint_dec24

Lint dec24
2025-12-24 22:23:06 +00:00 · 2024-12-11 13:40:01 +00:00 · 2024-12-11 13:40:01 +00:00 · 7a49778b1d
commit 7a49778b1d
parent db621c7a46 6cc43202c8
73 changed files with 570 additions and 797 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@ -3,20 +3,7 @@
 parseable: true
 quiet: true
 skip_list:
-  - 'schema'
+  - 'package-latest'
-  - 'no-changed-when'
+  - 'risky-shell-pipe'
  - 'var-spacing'
  - 'experimental'
  - 'name[play]'
  - 'name[casing]'
  - 'name[template]'
  - 'key-order[task]'
  - '204'
  - '305'
  - '303'
  - '403'
  - '306'
  - '602'
  - '208'
 use_default_rules: true
 verbosity: 0
--- a/.yamllint
+++ b/.yamllint
@ -1,32 +1,38 @@
 ---
 extends: default
-
+locale: en_US.UTF-8
 ignore: |
    tests/
    molecule/
    .github/
    .gitlab-ci.yml
    *molecule.yml
 rules:
  indentation:
    # Requiring 4 space indentation
    spaces: 2
    # Requiring consistent indentation within a file, either indented or not
    indent-sequences: consistent
  braces:
    max-spaces-inside: 1
    level: error
  brackets:
    max-spaces-inside: 1
    level: error
  comments:
    ignore-shebangs: true
    min-spaces-from-content: 1 # prettier compatibility
  comments-indentation: enable
  empty-lines:
    max: 1
-  line-length: disable
+  indentation:
    # Requiring 2 space indentation
    spaces: 2
    # Requiring consistent indentation within a file, either indented or not
    indent-sequences: consistent
  key-duplicates: enable
  line-length: disable
  new-line-at-end-of-file: enable
  new-lines:
    type: unix
  octal-values:
    forbid-implicit-octal: true # yamllint defaults to false
    forbid-explicit-octal: true
  trailing-spaces: enable
  truthy:
    allowed-values: ['true', 'false']
--- a/2
+++ b/2
@ -1,6 +1,6 @@
 MIT License
-Copyright (c) 2023 Mindpoint Group / Lockdown Enterprise / Lockdown Enterprise Releases
+Copyright (c) 2025 Mindpoint Group - A Tyto Athene Company / Ansible Lockdown
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal
--- a/README.md
+++ b/README.md
@ -2,7 +2,7 @@
 ## Configure a RHEL 9 machine to be [CIS](https://www.cisecurity.org/cis-benchmarks/) compliant
-### Based on [ CIS RedHat Enterprise Linux 9 Benchmark v2.0.0 ](https://www.cisecurity.org/cis-benchmarks/)
+### Based on [CIS RedHat Enterprise Linux 9 Benchmark v2.0.0](https://www.cisecurity.org/cis-benchmarks/)
 ---
@ -32,65 +32,82 @@
 ---
 ## Looking for support?
 [Lockdown Enterprise](https://www.lockdownenterprise.com#GH_AL_RH9_cis)
 [Ansible support](https://www.mindpointgroup.com/cybersecurity-products/ansible-counselor#GH_AL_RH9_cis)
 ### Community
 Join us on our [Discord Server](https://www.lockdownenterprise.com/discord) to ask questions, discuss features, or just chat with other Ansible-Lockdown users.
 ### Contributing
 Issues and Pull requests are welcome please ensure that all commits are signed-off-by and gpg-signed.
 Refer to [Contributing Guide](./CONTRIBUTING.rst)
 ---
 ## Caution(s)
 This role **will make changes to the system** which may have unintended consequences. This is not an auditing tool but rather a remediation tool to be used after an audit has been conducted.
-Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.
+- Testing is the most important thing you can do.
-This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
+- Check Mode is not supported! The role will complete in check mode without errors, but it is not supported and should be used with caution. The RHEL9-CIS-Audit role or a compliance scanner should be used for compliance checking over check mode.
-To use the release version, please point to the `main` branch and relevant release for the cis benchmark you wish to work with.
+- This role was developed against a clean install of the Operating System. If you are implementing to an existing system please review this role for any site specific changes that are needed.
 - To use release version please point to main branch and relevant release/tag for the cis benchmark you wish to work with.
 - If moving across major releases e.g. v2.0.0 - v3.0.0 there are significant changes to the benchmarks and controls it is suggested to start as a new standard not to upgrade.
 - Containers references vars/is_container.yml this is an example and to be updated for your requirements
 - Did we mention testing??
 ---
 ## Matching a security Level for CIS
-It is possible to only run level 1 or level 2 controls for CIS.
+It is possible to to only run level 1 or level 2 controls for CIS.
 This is managed using tags:
- level1-server
+- level1_server
- level1-workstation
+- level1_workstation
- level2-server
+- level2_server
- level2-workstation
+- level2_workstation
-The control found in the `defaults` main also needs to reflect this, as this control is the testing that takes place if you are using the audit component.
+The control found in defaults main also need to reflect this as this control the testing thet takes place if you are using the audit component.
 ## Coming from a previous release
-CIS release always contains changes, it is highly recommended to review the new references and available variables. This has changed significantly since the ansible-lockdown initial release.
+CIS release always contains changes, it is highly recommended to review the new references and available variables. This have changed significantly since ansible-lockdown initial release.
-This is now compatible with python3 if it is found to be the default interpreter. This does come with prerequisites which configure the system accordingly.
+This is now compatible with python3 if it is found to be the default interpreter. This does come with pre-requisites which it configures the system accordingly.
 Further details can be seen in the [Changelog](./ChangeLog.md)
 ## Auditing (new)
-This can be turned on or off within the `defaults/main.yml` file with the variables `setup_audit` and `run_audit`. The value is `false` by default. Please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
+This can be turned on or off within the defaults/main.yml file with the variable run_audit. The value is false by default, please refer to the wiki for more details. The defaults file also populates the goss checks to check only the controls that have been enabled in the ansible role.
 This is a much quicker, very lightweight, checking (where possible) config compliance and live/running settings.
-A new form of auditing has been developed by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check without the need for infrastructure or other tooling.
+A new form of auditing has been developed, by using a small (12MB) go binary called [goss](https://github.com/goss-org/goss) along with the relevant configurations to check. Without the need for infrastructure or other tooling.
-This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also try to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
+This audit will not only check the config has the correct setting but aims to capture if it is running with that configuration also trying to remove [false positives](https://www.mindpointgroup.com/blog/is-compliance-scanning-still-relevant/) in the process.
 Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit).
 ## Example Audit Summary
 This is based on a vagrant image with selections enabled. e.g. No Gui or firewall.
 Note: More tests are run during audit as we check config and running state.
 ```txt
 ok: [default] => {
    "msg": [
        "The pre remediation results are: ['Total Duration: 5.454s', 'Count: 338, Failed: 47, Skipped: 5'].",
        "The post remediation results are: ['Total Duration: 5.007s', 'Count: 338, Failed: 46, Skipped: 5'].",
        "Full breakdown can be found in /var/tmp",
        ""
    ]
 }
 PLAY RECAP *******************************************************************************************************************************************
 default                    : ok=270  changed=23   unreachable=0    failed=0    skipped=140  rescued=0    ignored=0
 ```
 ## Documentation
 - [Read The Docs](https://ansible-lockdown.readthedocs.io/en/latest/)
@ -101,19 +118,6 @@ Refer to [RHEL9-CIS-Audit](https://github.com/ansible-lockdown/RHEL9-CIS-Audit).
 ## Requirements
 RHEL 9
 Almalinux 9
 Rocky 9
 OracleLinux 9
 - Access to download or add the goss binary and content to the system if using auditing (other options are available on how to get the content to the system.)
 CentOS stream - while this will generally work it is not supported and requires the following variable setting
 ```sh
 os_check: false
 ```
 **General:**
 - Basic knowledge of Ansible, below are some links to the Ansible documentation to help get started if you are unfamiliar with Ansible
@ -123,23 +127,22 @@ os_check: false
  - [Tower User Guide](https://docs.ansible.com/ansible-tower/latest/html/userguide/index.html)
  - [Ansible Community Info](https://docs.ansible.com/ansible/latest/community/index.html)
 - Functioning Ansible and/or Tower Installed, configured, and running. This includes all of the base Ansible/Tower configurations, needed packages installed, and infrastructure setup.
- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consiquences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
+- Please read through the tasks in this role to gain an understanding of what each control is doing. Some of the tasks are disruptive and can have unintended consequences in a live production system. Also familiarize yourself with the variables in the defaults/main.yml file.
 **Technical Dependencies:**
- Python3
+RHEL/AlmaLinux/Rocky/Oracle 9 - Other versions are not supported.
 - Ansible 2.12+
 - python-def (should be included in RHEL 9)
 - libselinux-python
 - pip packages
  - jmespath
 - collections found in collections/requirements.yml
-pre-commit is available if installed on your host for pull request testing.
+- Access to download or add the goss binary and content to the system if using auditing
 (other options are available on how to get the content to the system.)
 - Python3.8
 - Ansible 2.12+
 - python-def
 - libselinux-python
 ## Role Variables
-This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done by overriding the required varaibles as found in defaults/main.yml file. e.g. using inventory, group_vars, extra_vars
+This role is designed that the end user should not have to edit the tasks themselves. All customizing should be done via the defaults/main.yml file or with extra vars within the project, job, workflow, etc.
 ## Tags
@ -169,10 +172,7 @@ We encourage you (the community) to contribute to this role. Please read the rul
 ## Known Issues
-CIS 1.2.4 - repo_gpgcheck is not carried out for RedHat hosts as the  default repos do not have this function. This also affect EPEL(not covered by var).
+Almalinux BaseOS, EPEL and many cloud providers repositories, do not allow gpgcheck(rule_1.2.1.2) or repo_gpgcheck (rule_1.2.1.3) this will cause issues during the playbook unless or a workaround is found.
          - Rocky and Alma not affected.
 Variable used to unset.
 rhel9cis_rhel_default_repo: true  # to be set to false if using repo that does have this ability
 ## Pipeline Testing
@ -180,21 +180,32 @@ uses:
 - ansible-core 2.12
 - ansible collections - pulls in the latest version based on requirements file
- Runs the audit using the devel branch
+- runs the audit using the devel branch
 - Runs the pre-commit setup on the PR to ensure everything is in place as expected.
 - This is an automated test that occurs on pull requests into devel
 ## Local Testing
- Ansible
+Molecule can be used to work on this role and test in distinct _scenarios_.
-  - ansible-base 2.10.17 - python 3.8
+### examples
-  - ansible-core 2.13.4  - python 3.10
+
-  - ansible-core 2.15.1  - python 3.11
+```bash
 molecule test -s default
 molecule converge -s wsl -- --check
 molecule verify -s localhost
 ```
 local testing uses:
 - ansible 2.13.3
 - molecule 4.0.1
 - molecule-docker 2.0.0
 - molecule-podman 2.0.2
 - molecule-vagrant 1.0.0
 - molecule-azure 0.5.0
 ## Added Extras
 - makefile - this is there purely for testing and initial setup purposes.
 - [pre-commit](https://pre-commit.com) can be tested and can be run from within the directory
 ```sh
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -2,7 +2,8 @@
 # handlers file for RHEL9-CIS
 - name: Reload sysctl
-  ansible.builtin.shell: sysctl --system
+  ansible.builtin.command: sysctl --system
  changed_when: true
 - name: Sysctl flush ipv4 route table
  when:
@ -43,8 +44,8 @@
 - name: Set Crypto Policy
  when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
-  ansible.builtin.shell: |
+  ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
-    update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
+  changed_when: true
  notify:
    - Change_requires_reboot
    - Restart sshd
@ -65,11 +66,13 @@
    state: restarted
 - name: Reload dconf
-  ansible.builtin.shell: dconf update
+  ansible.builtin.command: dconf update
  changed_when: true
 - name: Grub2cfg
-  ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
+  ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg"
  ignore_errors: true  # noqa ignore-errors
  changed_when: true
 - name: Restart rsyslog
  ansible.builtin.systemd:
@ -91,24 +94,25 @@
    daemon-reload: true
 - name: Authselect update
-  ansible.builtin.shell: authselect apply-changes
+  ansible.builtin.command: authselect apply-changes
  changed_when: true
 ## Auditd tasks note order for handlers to run
 - name: Auditd immutable check
-  ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
+  ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
  changed_when: false
  register: discovered_auditd_immutable_check
 - name: Audit immutable fact
-  when:
+  when: discovered_auditd_immutable_check.stdout == '1'
    - discovered_auditd_immutable_check.stdout == '1'
  ansible.builtin.debug:
    msg: "Reboot required for auditd to apply new rules as immutable set"
  notify: Change_requires_reboot
- name: Restart auditd
+- name: Restart auditd  # noqa command-instead-of-module
-  ansible.builtin.shell: service auditd restart
+  ansible.builtin.command: service auditd restart
  changed_when: true
 - name: Change_requires_reboot
  ansible.builtin.set_fact:
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@ -1,5 +1,4 @@
 ---
 - name: Pre Audit Setup | Set audit package name
  block:
    - name: Pre Audit Setup | Set audit package name | 64bit
@ -20,13 +19,13 @@
    owner: root
    group: root
    checksum: "{{ audit_bin_version[audit_pkg_arch_name + '_checksum'] }}"
-    mode: '0555'
+    mode: "0555"
 - name: Pre Audit Setup | Copy audit binary
  when: get_audit_binary_method == 'copy'
  ansible.builtin.copy:
    src: "{{ audit_bin_copy_location }}"
    dest: "{{ audit_bin }}"
-    mode: '0555'
+    mode: "0555"
    owner: root
    group: root
--- a/tasks/audit_only.yml
+++ b/tasks/audit_only.yml
@ -1,9 +1,8 @@
 ---
 - name: Audit_Only | Create local Directories for hosts
  when: fetch_audit_files
  ansible.builtin.file:
-    mode: '0755'
+    mode: "0755"
    path: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}"
    recurse: true
    state: directory
@ -15,16 +14,14 @@
  ansible.builtin.fetch:
    dest: "{{ audit_capture_files_dir }}/{{ inventory_hostname }}/"
    flat: true
-    mode: '0644'
+    mode: "0644"
    src: "{{ pre_audit_outfile }}"
 - name: Audit_only | Show Audit Summary
-  when:
+  when: audit_only
    - audit_only
  ansible.builtin.debug:
    msg: "{{ audit_results.split('\n') }}"
 - name: Audit_only | Stop Playbook Audit Only selected
-  when:
+  when: audit_only
    - audit_only
  ansible.builtin.meta: end_play
--- a/tasks/check_prereqs.yml
+++ b/tasks/check_prereqs.yml
@ -1,8 +1,7 @@
 ---
 - name: "PREREQ | If required install libselinux package to manage file changes."
-  when:
+  when: '"libselinux-python3" not in ansible_facts.packages'
    - '"libselinux-python3" not in ansible_facts.packages'
  ansible.builtin.package:
    name: libselinux-python3
    state: present
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -2,22 +2,19 @@
 # tasks file for RHEL9-CIS
 - name: "Check OS version and family"
  when: os_check
  tags: always
  ansible.builtin.assert:
    that: (ansible_facts.distribution != 'CentOS' and ansible_facts.os_family == 'RedHat' or ansible_facts.os_family == "Rocky") and ansible_facts.distribution_major_version is version_compare('9', '==')
    fail_msg: "This role can only be run against Supported OSs. {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }} is not supported."
    success_msg: "This role is running against a supported OS {{ ansible_facts.distribution }} {{ ansible_facts.distribution_major_version }}"
  when:
    - os_check
  tags:
    - always
 - name: "Check ansible version"
  tags: always
  ansible.builtin.assert:
    that: ansible_version.full is version_compare(min_ansible_version, '>=')
    fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
    success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
  tags:
    - always
 - name: "Setup rules if container"
  when:
@ -36,8 +33,7 @@
        file: "{{ container_vars_file }}"
    - name: "Output if discovered is a container"
-      when:
+      when: system_is_container
        - system_is_container
      ansible.builtin.debug:
        msg: system has been discovered as a container
@ -51,8 +47,7 @@
  when:
    - rhel9cis_set_boot_pass
    - rhel9cis_rule_1_4_1
-  tags:
+  tags: always
    - always
  ansible.builtin.assert:
    that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'  # pragma: allowlist secret
    msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
@ -81,23 +76,22 @@
  vars:
    sudo_password_rule: rhel9cis_rule_5_2_4  # pragma: allowlist secret
  block:
-    - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
+    - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"  # noqa name[template]
      ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
      changed_when: false
      failed_when: false
      check_mode: false
      register: prelim_ansible_user_password_set
-    - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"
+    - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"  # noqa name[template]
      when: prelim_ansible_user_password_set.stdout == "not found"
      ansible.builtin.debug:
        msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
    - name: "Check local account"
-      when:
+      when: prelim_ansible_user_password_set.stdout != "not found"
        - prelim_ansible_user_password_set.stdout != "not found"
      block:
-        - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"
+        - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
          ansible.builtin.assert:
            that:
              - prelim_ansible_user_password_set.stdout | length != 0
@ -105,7 +99,7 @@
            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
            success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
-        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"
+        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
          ansible.builtin.assert:
            that:
              - not prelim_ansible_user_password_set.stdout.startswith("!")
@ -113,10 +107,8 @@
            success_msg: "The local account is not locked for {{ ansible_env.SUDO_USER }} user"
 - name: "PRELIM | AUDIT | Check authselect profile is selected"
-  when:
+  when: rhel9cis_allow_authselect_updates
-    - rhel9cis_allow_authselect_updates
+  tags: always
  tags:
    - always
  block:
    - name: "PRELIM | AUDIT | Check authselect profile name has been updated"
      ansible.builtin.assert:
@ -136,8 +128,7 @@
        fail_msg: Authselect updates have been selected there are issues with profile selection"
 - name: "Ensure root password is set"
-  when:
+  when: rhel9cis_rule_5_4_2_4
    - rhel9cis_rule_5_4_2_4
  tags:
    - level1-server
    - level1-workstation
@ -158,14 +149,12 @@
        success_msg: "You have a root password set"
 - name: "Gather the package facts"
-  tags:
+  tags: always
    - always
  ansible.builtin.package_facts:
    manager: auto
 - name: "Include OS specific variables"
-  tags:
+  tags: always
    - always
  ansible.builtin.include_vars:
    file: "{{ ansible_facts.distribution }}.yml"
@ -213,8 +202,7 @@
 - name: "Run auditd logic"
  when: update_audit_template
-  tags:
+  tags: always
    - always
  ansible.builtin.import_tasks:
    file: auditd.yml
@ -226,8 +214,7 @@
    file: post.yml
 - name: "Run post_remediation audit"
-  when:
+  when: run_audit
    - run_audit
  ansible.builtin.import_tasks:
    file: post_remediation_audit.yml
@ -238,7 +225,6 @@
 - name: "If Warnings found Output count and control IDs affected"
  when: warn_count != 0
-  tags:
+  tags: always
    - always
  ansible.builtin.debug:
    msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
--- a/tasks/parse_etc_password.yml
+++ b/tasks/parse_etc_password.yml
@ -1,19 +1,17 @@
 ---
 - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
-  tags:
+  tags: always
    - always
  block:
    - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
-      ansible.builtin.shell: cat /etc/passwd
+      ansible.builtin.command: cat /etc/passwd
      changed_when: false
      check_mode: false
-      register: rhel9cis_passwd_file_audit
+      register: prelim_passwd_file_audit
    - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
      ansible.builtin.set_fact:
-        rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
+        rhel9cis_passwd: "{{ prelim_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
      loop: "{{ rhel9cis_passwd_file_audit.stdout_lines }}"
      vars:
        ld_passwd_regex: >-
          ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
--- a/tasks/post.yml
+++ b/tasks/post.yml
@ -1,9 +1,7 @@
 ---
 # Post tasks
 - name: POST | Gather the package facts after remediation
-  tags:
+  tags: always
    - always
  ansible.builtin.package_facts:
    manager: auto
@ -17,7 +15,7 @@
    dest: "/etc/sysctl.d/{{ item }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
  notify: Reload sysctl
  loop:
    - 60-kernel_sysctl.conf
@ -29,28 +27,22 @@
  ansible.builtin.meta: flush_handlers
 - name: POST | reboot system if changes require it and not skipped
-  tags:
+  when: change_requires_reboot
-    - always
+  tags: always
  vars:
    warn_control_id: Reboot_required
  block:
    - name: POST | Reboot system if changes require it and not skipped
      when: not skip_reboot
      ansible.builtin.reboot:
      when:
        - change_requires_reboot
        - not skip_reboot
    - name: POST | Warning a reboot required but skip option set
      when: skip_reboot
      ansible.builtin.debug:
        msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
      changed_when: true
      when:
        - change_requires_reboot
        - skip_reboot
    - name: "POST | Warning a reboot required but skip option set | warning count"
      when: skip_reboot
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      when:
        - change_requires_reboot
        - skip_reboot
  vars:
    warn_control_id: Reboot_required
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@ -1,7 +1,7 @@
 ---
- name: Post Audit | Run post_remediation {{ benchmark }} audit
+- name: Post Audit | Run post_remediation {{ benchmark }} audit  # noqa name[template]
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ post_audit_outfile }} -g \"{{ group_names }}\""
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
@ -18,8 +18,7 @@
    - "{{ pre_audit_outfile }}"
 - name: Post Audit | Capture audit data if json format
-  when:
+  when: audit_format == "json"
    - audit_format == "json"
  block:
    - name: Post Audit | Capture audit data if json format
      ansible.builtin.shell: grep -E '"summary-line.*Count:.*Failed' "{{ post_audit_outfile }}" | cut -d'"' -f4
@ -31,8 +30,7 @@
        post_audit_results: "{{ post_audit_summary.stdout }}"
 - name: Post Audit | Capture audit data if documentation format
-  when:
+  when: audit_format == "documentation"
    - audit_format == "documentation"
  block:
    - name: Post Audit | Capture audit data if documentation format
      ansible.builtin.shell: tail -2 "{{ post_audit_outfile }}" | tac | tr '\n' ' '
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@ -1,22 +1,18 @@
 ---
 - name: Pre Audit Setup | Setup the LE audit
-  when:
+  when: setup_audit
-    - setup_audit
+  tags: setup_audit
  tags:
    - setup_audit
  ansible.builtin.include_tasks:
    file: LE_audit_setup.yml
- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists
+- name: Pre Audit Setup | Ensure {{ audit_conf_dir }} exists # noqa name[template]
  ansible.builtin.file:
    path: "{{ audit_conf_dir }}"
    state: directory
-    mode: '0755'
+    mode: "0755"
 - name: Pre Audit Setup | If using git for content set up
-  when:
+  when: audit_content == 'git'
    - audit_content == 'git'
  block:
    - name: Pre Audit Setup | Install git
      ansible.builtin.package:
@ -30,32 +26,28 @@
        version: "{{ audit_git_version }}"
 - name: Pre Audit Setup | Copy to audit content files to server
-  when:
+  when: audit_content == 'copy'
    - audit_content == 'copy'
  ansible.builtin.copy:
    src: "{{ audit_conf_source }}"
    dest: "{{ audit_conf_dest }}"
    mode: preserve
 - name: Pre Audit Setup | Unarchive audit content files on server
-  when:
+  when: audit_content == 'archive'
    - audit_content == 'archive'
  ansible.builtin.unarchive:
    src: "{{ audit_conf_source }}"
    dest: "{{ audit_conf_dest }}"
 - name: Pre Audit Setup | Get audit content from url
-  when:
+  when: audit_content == 'get_url'
    - audit_content == 'get_url'
  ansible.builtin.unarchive:
    src: "{{ audit_conf_source }}"
    dest: "{{ audit_conf_dest }}/{{ benchmark }}-Audit"
-    remote_src: "{{ ( audit_conf_source is contains ('http'))| ternary(true, false ) }}"
+    remote_src: "{{ (audit_conf_source is contains('http')) | ternary(true, false) }}"
-    extra_opts: "{{ (audit_conf_source is contains ('github')) | ternary('--strip-components=1', [] ) }}"
+    extra_opts: "{{ (audit_conf_source is contains('github')) | ternary('--strip-components=1', []) }}"
 - name: Pre Audit Setup | Check Goss is available
-  when:
+  when: run_audit
    - run_audit
  block:
    - name: Pre Audit Setup | Check for goss file
      ansible.builtin.stat:
@ -63,24 +55,22 @@
      register: discovered_goss_available
    - name: Pre Audit Setup | If audit ensure goss is available
-      when:
+      when: not discovered_goss_available.stat.exists
        - not discovered_goss_available.stat.exists
      ansible.builtin.assert:
        msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
 - name: Pre Audit Setup | Copy ansible default vars values to test audit
-  when:
+  when: run_audit
    - run_audit
  tags:
    - goss_template
    - run_audit
  ansible.builtin.template:
    src: ansible_vars_goss.yml.j2
    dest: "{{ audit_vars_path }}"
-    mode: '0600'
+    mode: "0600"
- name: Pre Audit | Run pre_remediation {{ benchmark }} audit
+- name: Pre Audit | Run pre_remediation {{ benchmark }} audit # noqa name[template]
-  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
+  ansible.builtin.command: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -f {{ audit_format }} -o {{ pre_audit_outfile }} -g \"{{ group_names }}\""
  changed_when: true
  environment:
    AUDIT_BIN: "{{ audit_bin }}"
@ -88,33 +78,30 @@
    AUDIT_FILE: goss.yml
 - name: Pre Audit | Capture audit data if json format
-  when:
+  when: audit_format == "json"
    - audit_format == "json"
  block:
    - name: Pre Audit | Capture audit data if json format
      ansible.builtin.shell: grep -E '\"summary-line.*Count:.*Failed' "{{ pre_audit_outfile }}" | cut -d'"' -f4
      register: pre_audit_summary
      changed_when: false
      register: pre_audit_summary
    - name: Pre Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
        pre_audit_results: "{{ pre_audit_summary.stdout }}"
 - name: Pre Audit | Capture audit data if documentation format
-  when:
+  when: audit_format == "documentation"
    - audit_format == "documentation"
  block:
    - name: Pre Audit | Capture audit data if documentation format
      ansible.builtin.shell: tail -2 "{{ pre_audit_outfile }}" | tac | tr '\n' ' '
      register: pre_audit_summary
      changed_when: false
      register: pre_audit_summary
    - name: Pre Audit | Set Fact for audit summary
      ansible.builtin.set_fact:
        pre_audit_results: "{{ pre_audit_summary.stdout }}"
 - name: Audit_Only | Run Audit Only
-  when:
+  when: audit_only
    - audit_only
  ansible.builtin.import_tasks:
    file: audit_only.yml
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@ -17,50 +17,43 @@
  when:
    - run_audit or audit_only
    - setup_audit
-  tags:
+  tags: run_audit
    - run_audit
  ansible.builtin.import_tasks: pre_remediation_audit.yml
 - name: "PRELIM | AUDIT | Interactive Users"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: >
    grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false" && $7 != "/dev/null") { print $1 }'
  changed_when: false
  register: prelim_interactive_usernames
 - name: "PRELIM | AUDIT | Interactive User accounts home directories"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: >
    grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $6 }'
  changed_when: false
  register: prelim_interactive_users_home
 - name: "PRELIM | AUDIT | Interactive UIDs"
-  tags:
+  tags: always
    - always
  ansible.builtin.shell: >
    grep -E -v '^(root|halt|sync|shutdown)' /etc/passwd | awk -F: '(!index($7, "sbin/nologin") && $7 != "/bin/nologin" && $7 != "/bin/false") { print $3 }'
  changed_when: false
  register: prelim_interactive_uids
 - name: "PRELIM | AUDIT | Capture /etc/password variables"
  tags: always
  ansible.builtin.include_tasks:
    file: parse_etc_password.yml
  tags:
    - always
 - name: "PRELIM | PATCH | Ensure python3-libselinux is installed"
-  when:
+  when: '"python3-libselinux" not in ansible_facts.packages'
    - '"python3-libselinux" not in ansible_facts.packages'
  ansible.builtin.package:
    name: python3-libselinux
    state: present
 - name: "PRELIM | AUDIT | Section 1.1 | Create list of mount points"
-  tags:
+  tags: always
    - Always
  ansible.builtin.set_fact:
    mount_names: "{{ ansible_facts.mounts | map(attribute='mount') | list }}"
@ -80,27 +73,27 @@
    - ansible_facts.distribution == 'RedHat'
  block:
    - name: "PRELIM | AUDIT | Import gpg keys | get data"
-      ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
+      ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'  # noqa command-instead-of-module
      changed_when: false
      failed_when: false
      register: prelim_check_gpg_imported
-    - name: "PRELIM | AUDIT | Import gpg keys | Check Package"
+    - name: "PRELIM | AUDIT | Import gpg keys | Check Package"  # noqa command-instead-of-module
      when: "'not installed' in prelim_check_gpg_imported.stdout"
      ansible.builtin.shell: rpm -qi redhat-release | grep Signature
      changed_when: false
      failed_when: false
      register: prelim_os_gpg_package_valid
-    - name: "PRELIM | PATCH | Force keys to be imported"
+    - name: "PRELIM | PATCH | Force keys to be imported"  # noqa command-instead-of-module
      when:
        - "'not installed' in prelim_check_gpg_imported.stdout"
        - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout"
-      ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      ansible.builtin.command: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
      changed_when: false
 - name: "PRELIM | AUDIT | Check systemd coredump"
-  when:
+  when: rhel9cis_rule_1_5_4
    - rhel9cis_rule_1_5_4
  tags:
    - level1-server
    - level1-workstation
@ -127,7 +120,7 @@
        state: present
    - name: "PRELIM | AUDIT | Gather system-wide crypto-policy"
-      ansible.builtin.shell: 'update-crypto-policies --show'
+      ansible.builtin.command: 'update-crypto-policies --show'
      changed_when: false
      check_mode: false
      register: prelim_system_wide_crypto_policy
@ -183,7 +176,7 @@
    - always
  block:
    - name: "PRELIM | AUDIT | Discover is wirelss adapter on system"
-      ansible.builtin.shell: find /sys/class/net/*/ -type d -name wireless
+      ansible.builtin.command: find /sys/class/net/*/ -type d -name wireless
      register: discover_wireless_adapters
      changed_when: false
      failed_when: discover_wireless_adapters.rc not in [ 0, 1 ]
@ -222,7 +215,7 @@
    path: "{{ rhel9cis_sshd_config_file }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
    state: touch
 - name: "PRELIM | AUDIT | Gather UID 0 accounts other than root"
@ -246,6 +239,7 @@
  ansible.builtin.file:
    path: /etc/systemd/journald.conf.d
    state: directory
    mode: 'go-w'
 - name: "PRELIM | PATCH | Configure System Accounting (auditd)"
  when:
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_1
    - rhel9cis_rule_1_1_1_1
  tags:
    - level1-server
    - level1-workstation
@ -17,7 +16,7 @@
        regexp: "^(#)?install cramfs(\\s|$)"
        line: "install cramfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -25,7 +24,7 @@
        regexp: "^(#)?blacklist cramfs(\\s|$)"
        line: "blacklist cramfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Disable cramfs"
      when:
@ -35,8 +34,7 @@
        state: absent
 - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_2
    - rhel9cis_rule_1_1_1_2
  tags:
    - level1-server
    - level1-workstation
@ -51,7 +49,7 @@
        regexp: "^(#)?install freevxfs(\\s|$)"
        line: "install freevxfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -59,18 +57,16 @@
        regexp: "^(#)?blacklist freevxfs(\\s|$)"
        line: "blacklist freevxfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Disable freevxfs"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: freevxfs
        state: absent
 - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_3
    - rhel9cis_rule_1_1_1_3
  tags:
    - level1-server
    - level1-workstation
@ -85,7 +81,7 @@
        regexp: "^(#)?install hfs(\\s|$)"
        line: "install hfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -93,18 +89,16 @@
        regexp: "^(#)?blacklist hfs(\\s|$)"
        line: "blacklist hfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Disable hfs"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: hfs
        state: absent
 - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_4
    - rhel9cis_rule_1_1_1_4
  tags:
    - level1-server
    - level1-workstation
@ -119,7 +113,7 @@
        regexp: "^(#)?install hfsplus(\\s|$)"
        line: "install hfsplus /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -127,18 +121,16 @@
        regexp: "^(#)?blacklist hfsplus(\\s|$)"
        line: "blacklist hfsplus"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Disable hfsplus"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: hfsplus
        state: absent
 - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_5
    - rhel9cis_rule_1_1_1_5
  tags:
    - level1-server
    - level1-workstation
@ -153,7 +145,7 @@
        regexp: "^(#)?install jffs2(\\s|$)"
        line: "install jffs2 /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -161,18 +153,16 @@
        regexp: "^(#)?blacklist jffs2(\\s|$)"
        line: "blacklist jffs2"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Disable jffs2"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: jffs2
        state: absent
 - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_6
    - rhel9cis_rule_1_1_1_6
  tags:
    - level2-server
    - level2-workstation
@ -187,7 +177,7 @@
        regexp: "^(#)?install squashfs(\\s|$)"
        line: "install squashfs /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -195,18 +185,16 @@
        regexp: "^(#)?blacklist squashfs(\\s|$)"
        line: "blacklist squashfs"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Disable squashfs"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: squashfs
        state: absent
 - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_7
    - rhel9cis_rule_1_1_1_7
  tags:
    - level2-server
    - level2-workstation
@ -221,7 +209,7 @@
        regexp: "^(#)?install udf(\\s|$)"
        line: "install udf /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -229,18 +217,16 @@
        regexp: "^(#)?blacklist udf(\\s|$)"
        line: "blacklist udf"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Disable udf"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: udf
        state: absent
 - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available"
-  when:
+  when: rhel9cis_rule_1_1_1_8
    - rhel9cis_rule_1_1_1_8
  tags:
    - level1-server
    - level2-workstation
@ -255,7 +241,7 @@
        regexp: "^(#)?install usb-storage(\\s|$)"
        line: "install usb-storage /bin/true"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | blacklist"
      ansible.builtin.lineinfile:
@ -263,18 +249,16 @@
        regexp: "^(#)?blacklist usb-storage(\\s|$)"
        line: "blacklist usb-storage"
        create: true
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Disable usb"
-      when:
+      when: not system_is_container
        - not system_is_container
      community.general.modprobe:
        name: usb-storage
        state: absent
 - name: "1.1.1.9 | PATCH | Ensure unused filesystems kernel modules are not available"
-  when:
+  when: rhel9cis_rule_1_1_1_9
    - rhel9cis_rule_1_1_1_9
  tags:
    - level1-server
    - level1-workstation
@ -289,10 +273,10 @@
        dest: /var/fs_with_cves.sh
        owner: root
        group: root
-        mode: '0744'
+        mode: 'u+x,go-wx'
    - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Run discovery script"
-      ansible.builtin.shell: /var/fs_with_cves.sh
+      ansible.builtin.command: /var/fs_with_cves.sh
      changed_when: false
      failed_when: discovered_fs_modules_loaded.rc not in [ 0, 99 ]
      register: discovered_fs_modules_loaded
@ -302,7 +286,7 @@
      ansible.builtin.debug:
        msg: |
          "Warning!! Discovered loaded Filesystem modules that need attention. This is a manual task
-          {{ discovered_fs_modules_loaded.stdout_lines}}"
+          {{ discovered_fs_modules_loaded.stdout_lines }}"
    - name: "1.1.1.9 | AUDIT | Ensure unused filesystems kernel modules are not available | Capture Warning"
      when: discovered_fs_modules_loaded.stdout | length > 0
--- a/tasks/section_1/cis_1.1.2.1.x.yml
+++ b/tasks/section_1/cis_1.1.2.1.x.yml
@ -17,7 +17,7 @@
  block:
    - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Absent"
      ansible.builtin.debug:
-        msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
    - name: "1.1.2.1.1 | PATCH | Ensure /tmp is a separate partition | Present"
      ansible.builtin.import_tasks:
@ -84,5 +84,5 @@
    dest: /etc/systemd/system/tmp.mount
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
  notify: Systemd restart tmp.mount
--- a/tasks/section_1/cis_1.1.2.2.x.yml
+++ b/tasks/section_1/cis_1.1.2.2.x.yml
@ -2,8 +2,7 @@
 # Skips if mount is absent
 - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition"
-  when:
+  when: rhel9cis_rule_1_1_2_2_1
    - rhel9cis_rule_1_1_2_2_1
  tags:
    - level1-server
    - level1-workstation
@ -14,7 +13,7 @@
  vars:
    warn_control_id: '1.1.2.2.1'
  block:
-    - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists"
+    - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | check exists"  # noqa command-instead-of-module
      ansible.builtin.shell: mount -l | grep -w /dev/shm
      changed_when: false
      register: discovered_dev_shm_mount_check
@ -24,7 +23,7 @@
      block:
        - name: "1.1.2.2.1 | AUDIT | Ensure /dev/shm is a separate partition | Absent"
          ansible.builtin.debug:
-            msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+            msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
        - name: "1.1.2.2.1 | AUDIT | Ensure separate partition exists for /home | Present"
          ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.1.2.3.x.yml
+++ b/tasks/section_1/cis_1.1.2.3.x.yml
@ -17,7 +17,7 @@
  block:
    - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Absent"
      ansible.builtin.debug:
-        msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
    - name: "1.1.2.3.1 | AUDIT | Ensure separate partition exists for /home | Present"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.1.2.4.x.yml
+++ b/tasks/section_1/cis_1.1.2.4.x.yml
@ -17,7 +17,7 @@
  block:
    - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Absent"
      ansible.builtin.debug:
-        msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
    - name: "1.1.2.4.1 | AUDIT | Ensure separate partition exists for /var | Present"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.1.2.5.x.yml
+++ b/tasks/section_1/cis_1.1.2.5.x.yml
@ -18,7 +18,7 @@
  block:
    - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Absent"
      ansible.builtin.debug:
-        msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
    - name: "1.1.2.5.1 | AUDIT | Ensure separate partition exists for /var/tmp | Present"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.1.2.6.x.yml
+++ b/tasks/section_1/cis_1.1.2.6.x.yml
@ -17,7 +17,7 @@
  block:
    - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Absent"
      ansible.builtin.debug:
-        msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
    - name: "1.1.2.6.1 | AUDIT | Ensure separate partition exists for /var/log | Present"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.1.2.7.x.yml
+++ b/tasks/section_1/cis_1.1.2.7.x.yml
@ -17,7 +17,7 @@
  block:
    - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Absent"
      ansible.builtin.debug:
-        msg: "Warning!! {{ required_mount }} doesn't exist. This is a manual task"
+        msg: "Warning!! {{ required_mount }} doesn't exist. Please investigate this manual task"
    - name: "1.1.2.7.1 | AUDIT | Ensure separate partition exists for /var/log/audit | Present"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.2.1.x.yml
+++ b/tasks/section_1/cis_1.2.1.x.yml
@ -14,18 +14,18 @@
    - rule_1.2.1.1
    - NIST800-53R5_SI-2
  block:
-    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"
+    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | list installed pubkey keys"  # noqa command-instead-of-module
      ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
      changed_when: false
      failed_when: false
      register: discovered_os_installed_pub_keys
-    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
+    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"  # noqa command-instead-of-module
      when: discovered_os_installed_pub_keys.rc == 0
      ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
      changed_when: false
      failed_when: false
      register: discovered_os_gpg_key_check
      when: discovered_os_installed_pub_keys.rc == 0
    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
      when:
@ -35,8 +35,7 @@
        msg: Installed GPG Keys do not meet expected values or expected keys are not installed
 - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated"
-  when:
+  when: rhel9cis_rule_1_2_1_2
    - rhel9cis_rule_1_2_1_2
  tags:
    - level1-server
    - level1-workstation
@ -94,8 +93,7 @@
        label: "{{ item.path }}"
 - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured"
-  when:
+  when: rhel9cis_rule_1_2_1_4
    - rhel9cis_rule_1_2_1_4
  tags:
    - level1-server
    - level1-workstation
@ -107,11 +105,11 @@
    warn_control_id: '1.2.1.4'
  block:
    - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
-      ansible.builtin.shell: dnf repolist
+      ansible.builtin.command: dnf repolist
      changed_when: false
      failed_when: false
      register: discovered_dnf_configured
      check_mode: false
      register: discovered_dnf_configured
    - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
      ansible.builtin.debug:
--- a/tasks/section_1/cis_1.3.1.x.yml
+++ b/tasks/section_1/cis_1.3.1.x.yml
@ -122,8 +122,7 @@
        file: warning_facts.yml
 - name: "1.3.1.7 | PATCH | Ensure the MCS Translation Service (mcstrans) is not installed"
-  when:
+  when: rhel9cis_rule_1_3_1_7
    - rhel9cis_rule_1_3_1_7
  tags:
    - level1-server
    - level1-workstation
@ -136,9 +135,6 @@
    state: absent
 - name: "1.3.1.8 | PATCH | Ensure SETroubleshoot is not installed"
  ansible.builtin.package:
    name: setroubleshoot
    state: absent
  when:
    - rhel9cis_rule_1_3_1_8
    - "'setroubleshoot' in ansible_facts.packages"
@ -149,3 +145,6 @@
    - rule_1.3.1.8
    - NIST800-53R5_AC-3
    - NIST800-53R5_MP-2
  ansible.builtin.package:
    name: setroubleshoot
    state: absent
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@ -16,12 +16,11 @@
    content: "GRUB2_PASSWORD={{ rhel9cis_bootloader_password_hash }}"  # noqa template-instead-of-copy
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
  notify: Grub2cfg
 - name: "1.4.2 | PATCH | Ensure permissions on bootloader config are configured"
-  when:
+  when: rhel9cis_rule_1_4_2
    - rhel9cis_rule_1_4_2
  tags:
    - level1-server
    - level1-workstation
@ -41,5 +40,5 @@
        access_time: preserve
      loop:
        - { path: 'grub.cfg', mode: '0700' }
-        - { path: 'grubenv', mode: '0600' }
+        - { path: 'grubenv', mode: 'go-rwx' }
-        - { path: 'user.cfg', mode: '0600' }
+        - { path: 'user.cfg', mode: 'go-rwx' }
--- a/tasks/section_1/cis_1.5.x.yml
+++ b/tasks/section_1/cis_1.5.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.5.1 | PATCH | Ensure address space layout randomization (ASLR) is enabled"
-  when:
+  when: rhel9cis_rule_1_5_1
    - rhel9cis_rule_1_5_1
  tags:
    - level1-server
    - level1-workstation
@ -21,8 +20,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
 - name: "1.5.2 | PATCH | Ensure ptrace_scope is restricted"
-  when:
+  when: rhel9cis_rule_1_5_2
    - rhel9cis_rule_1_5_2
  tags:
    - level1-server
    - level1-workstation
@ -39,8 +37,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf"
 - name: "1.5.3 | PATCH | Ensure core dump backtraces are disabled"
-  when:
+  when: rhel9cis_rule_1_5_3
    - rhel9cis_rule_1_5_3
  tags:
    - level1-server
    - level1-workstation
@ -50,7 +47,7 @@
    - NIST800-53R5_CM-6b
  ansible.builtin.lineinfile:
    path: /etc/systemd/coredump.conf
-    regexp: '^ProcessSizeMax\s*=\s*.*[1-9]$'
+    regexp: '(?#)^ProcessSizeMax\s*=\s*.*[1-9].*$'
    line: 'ProcessSizeMax=0'
 - name: "1.5.4 | PATCH | Ensure core dump storage is disabled"
--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.6.1 | AUDIT | Ensure system-wide crypto policy is not legacy"
-  when:
+  when: rhel9cis_rule_1_6_1
    - rhel9cis_rule_1_6_1
  tags:
    - level1-server
    - level1-workstation
@ -18,8 +17,7 @@
    - Set Crypto Policy
 - name: "1.6.2 | PATCH | Ensure system wide crypto policy is not set in sshd configuration"
-  when:
+  when: rhel9cis_rule_1_6_2
    - rhel9cis_rule_1_6_2
  tags:
    - level1-server
    - level1-workstation
@ -54,7 +52,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      register: discovered_no_sha1_template
    - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
@ -85,7 +83,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      register: discovered_no_weakmac_template
    - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
@ -115,7 +113,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHCBC.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      register: discovered_no_sshcbc_template
    - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
@ -145,7 +143,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      register: discovered_no_sshweakciphers_template
    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
@ -175,7 +173,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHETM.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      register: discovered_no_sshetm_template
    - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
--- a/tasks/section_1/cis_1.7.x.yml
+++ b/tasks/section_1/cis_1.7.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "1.7.1 | PATCH | Ensure message of the day is configured properly"
-  when:
+  when: rhel9cis_rule_1_7_1
    - rhel9cis_rule_1_7_1
  tags:
    - level1-server
    - level1-workstation
@ -17,11 +16,10 @@
    dest: /etc/motd
    owner: root
    group: root
-    mode: u-x,go-wx
+    mode: 'u-x,go-wx'
 - name: "1.7.2 | PATCH | Ensure local login warning banner is configured properly"
-  when:
+  when: rhel9cis_rule_1_7_2
    - rhel9cis_rule_1_7_2
  tags:
    - level1-server
    - level1-workstation
@ -35,11 +33,10 @@
    dest: /etc/issue
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
 - name: "1.7.3 | PATCH | Ensure remote login warning banner is configured properly"
-  when:
+  when: rhel9cis_rule_1_7_3
    - rhel9cis_rule_1_7_3
  tags:
    - level1-server
    - level1-workstation
@ -54,11 +51,10 @@
    dest: /etc/issue.net
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
 - name: "1.7.4 | PATCH | Ensure permissions on /etc/motd are configured"
-  when:
+  when: rhel9cis_rule_1_7_4
    - rhel9cis_rule_1_7_4
  tags:
    - level1-server
    - level1-workstation
@ -71,11 +67,10 @@
    path: /etc/motd
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
 - name: "1.7.5 | PATCH | Ensure permissions on /etc/issue are configured"
-  when:
+  when: rhel9cis_rule_1_7_5
    - rhel9cis_rule_1_7_5
  tags:
    - level1-server
    - level1-workstation
@ -88,11 +83,10 @@
    path: /etc/issue
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
 - name: "1.7.6 | PATCH | Ensure permissions on /etc/issue.net are configured"
-  when:
+  when: rhel9cis_rule_1_7_6
    - rhel9cis_rule_1_7_6
  tags:
    - level1-server
    - level1-workstation
@ -105,4 +99,4 @@
    path: /etc/issue.net
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@ -35,7 +35,7 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
      loop:
        - { regexp: 'user-db', line: 'user-db:user' }
@ -48,7 +48,7 @@
        dest: /etc/dconf/db/gdm.d/01-banner-message
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
 - name: "1.8.3 | PATCH | Ensure GDM disable-user-list option is enabled"
@ -68,7 +68,7 @@
    create: true
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
  notify: Reload dconf
  loop:
    - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
@ -96,7 +96,7 @@
        create: true
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      loop:
        - { regexp: '^user-db', line: 'user-db:user' }
        - { regexp: '^system-db', line: 'system-db:local' }
@ -106,7 +106,7 @@
        path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
        state: directory
    - name: "1.8.4 | PATCH | Ensure GDM screen locks when the user is idle | Make conf file"
@ -115,7 +115,7 @@
        dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-screensaver"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
 - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden"
@ -134,7 +134,7 @@
        path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
        state: directory
    - name: "1.8.5 | PATCH | Ensure GDM screen locks cannot be overridden | Make lock file"
@ -143,7 +143,7 @@
        dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-screensaver_lock"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
 - name: "1.8.6 | PATCH | Ensure GDM automatic mounting of removable media is disabled"
@ -161,7 +161,7 @@
    dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-automount"
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
  notify: Reload dconf
 - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden"
@ -180,7 +180,7 @@
        path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
        state: directory
    - name: "1.8.7 | PATCH | Ensure GDM disabling automatic mounting of removable media is not overridden | Make lock file"
@ -189,7 +189,7 @@
        dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-automount_lock"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
 - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled"
@ -208,7 +208,7 @@
        path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
        state: directory
    - name: "1.8.8 | PATCH | Ensure GDM autorun-never is enabled | Make conf file"
@ -217,7 +217,7 @@
        dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/00-media-autorun"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
 - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden"
@ -236,7 +236,7 @@
        path: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks"
        owner: root
        group: root
-        mode: '0755'
+        mode: 'go-w'
        state: directory
    - name: "1.8.9 | PATCH | Ensure GDM autorun-never is not overridden | Make lockfile"
@ -245,7 +245,7 @@
        dest: "/etc/dconf/db/{{ rhel9cis_dconf_db_name }}.d/locks/00-autorun_lock"
        owner: root
        group: root
-        mode: '0644'
+        mode: 'go-wx'
      notify: Reload dconf
 - name: "1.8.10 | PATCH | Ensure XDMCP is not enabled"
--- a/tasks/section_2/cis_2.1.x.yml
+++ b/tasks/section_2/cis_2.1.x.yml
@ -33,9 +33,7 @@
        masked: true
 - name: "2.1.2 | PATCH | Ensure avahi daemon services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_2
    - rhel9cis_rule_2_1_2
    - "'avahi' in ansible_facts.packages or 'avahi-autopd' in ansible_facts.packages"
  tags:
    - level1-server
    - level2-workstation
@ -70,9 +68,7 @@
        - avahi-daemon.service
 - name: "2.1.3 | PATCH | Ensure dhcp server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_3
    - "'dhcp-server' in ansible_facts.packages"
    - rhel9cis_rule_2_1_3
  tags:
    - level1-server
    - level1-workstation
@ -105,9 +101,7 @@
        - dhcpd6.service
 - name: "2.1.4 | PATCH | Ensure dns server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_4
    - "'bind' in ansible_facts.packages"
    - rhel9cis_rule_2_1_4
  tags:
    - level1-server
    - level1-workstation
@ -137,9 +131,7 @@
        masked: true
 - name: "2.1.5 | PATCH | Ensure dnsmasq server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_5
    - "'dnsmasq' in ansible_facts.packages"
    - rhel9cis_rule_2_1_5
  tags:
    - level1-server
    - level1-workstation
@ -169,9 +161,7 @@
        masked: true
 - name: "2.1.6 | PATCH | Ensure samba file server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_6
    - "'samba' in ansible_facts.packages"
    - rhel9cis_rule_2_1_6
  tags:
    - level1-server
    - level1-workstation
@ -202,9 +192,7 @@
        masked: true
 - name: "2.1.7 | PATCH | Ensure ftp server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_7
    - "'ftp' in ansible_facts.packages"
    - rhel9cis_rule_2_1_7
  tags:
    - level1-server
    - level1-workstation
@ -235,9 +223,7 @@
        masked: true
 - name: "2.1.8 | PATCH | Ensure message access server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_8
    - "'dovecot' in ansible_facts.packages or 'cyrus-imapd' in ansible_facts.packages"
    - rhel9cis_rule_2_1_8
  tags:
    - level1-server
    - level1-workstation
@ -275,9 +261,7 @@
        - "cyrus-imapd.service"
 - name: "2.1.9 | PATCH | Ensure network file system services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_9
    - "'nfs-utils' in ansible_facts.packages"
    - rhel9cis_rule_2_1_9
  tags:
    - level1-server
    - level1-workstation
@ -309,9 +293,7 @@
        masked: true
 - name: "2.1.10 | PATCH | Ensure nis server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_10
    - "'ypserv' in ansible_facts.packages"
    - rhel9cis_rule_2_1_10
  tags:
    - level1-server
    - level1-workstation
@ -341,9 +323,7 @@
        masked: true
 - name: "2.1.11 | PATCH | Ensure print server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_11
    - "'cups' in ansible_facts.packages"
    - rhel9cis_rule_2_1_11
  tags:
    - level1-server
    - automated
@ -375,9 +355,7 @@
        - "cups.service"
 - name: "2.1.12 | PATCH | Ensure rpcbind services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_12
    - "'rpcbind' in ansible_facts.packages"
    - rhel9cis_rule_2_1_12
  tags:
    - level1-server
    - level1-workstation
@ -411,9 +389,7 @@
        - rpcbind.socket
 - name: "2.1.13 | PATCH | Ensure rsync services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_13
    - "'rsync-daemon' in ansible_facts.packages"
    - rhel9cis_rule_2_1_13
  tags:
    - level1-server
    - level1-workstation
@ -447,9 +423,7 @@
        - 'rsyncd.service'
 - name: "2.1.14 | PATCH | Ensure snmp services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_14
    - "'net-snmp' in ansible_facts.packages"
    - rhel9cis_rule_2_1_14
  tags:
    - level1-server
    - level1-workstation
@ -479,9 +453,7 @@
        masked: true
 - name: "2.1.15 | PATCH | Ensure telnet server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_15
    - "'telnet-server' in ansible_facts.packages"
    - rhel9cis_rule_2_1_15
  tags:
    - level1-server
    - level1-workstation
@ -512,9 +484,7 @@
        masked: true
 - name: "2.1.16 | PATCH | Ensure tftp server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_16
    - "'tftp-server' in ansible_facts.packages"
    - rhel9cis_rule_2_1_16
  tags:
    - level1-server
    - level1-workstation
@ -547,9 +517,7 @@
        - 'tftp.service'
 - name: "2.1.17 | PATCH | Ensure web proxy server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_17
    - "'squid' in ansible_facts.packages"
    - rhel9cis_rule_2_117
  tags:
    - level1-server
    - level1-workstation
@ -580,8 +548,7 @@
        masked: true
 - name: "2.1.18 | PATCH | Ensure web server services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_18
    - rhel9cis_rule_2_1_18
  tags:
    - level1-server
    - level1-workstation
@ -597,7 +564,6 @@
      when:
        - not rhel9cis_httpd_server
        - not rhel9cis_httpd_mask
        - "'httpd' in ansible_facts.packages"
      ansible.builtin.package:
        name: httpd
        state: absent
@ -606,7 +572,6 @@
      when:
        - not rhel9cis_nginx_server
        - not rhel9cis_nginx_mask
        - "'nginx' in ansible_facts.packages"
      ansible.builtin.package:
        name: nginx
        state: absent
@ -615,7 +580,6 @@
      when:
        - not rhel9cis_httpd_server
        - rhel9cis_httpd_mask
        - "'httpd' in ansible_facts.packages"
      notify: Systemd_daemon_reload
      ansible.builtin.systemd:
        name: httpd.service
@ -627,7 +591,6 @@
      when:
        - not rhel9cis_nginx_server
        - rhel9cis_nginx_mask
        - "'nginx' in ansible_facts.packages"
      notify: Systemd_daemon_reload
      ansible.builtin.systemd:
        name: ngnix.service
@ -636,9 +599,7 @@
        masked: true
 - name: "2.1.19 | PATCH | Ensure xinetd services are not in use"
-  when:
+  when: rhel9cis_rule_2_1_19
    - "'xinetd' in ansible_facts.packages"
    - rhel9cis_rule_2_1_19
  tags:
    - level1-server
    - level1-workstation
@ -670,7 +631,6 @@
 - name: "2.1.20 | PATCH | Ensure X window server services are not in use"
  when:
    - not rhel9cis_xwindow_server
    - "'xorg-x11-server-common' in ansible_facts.packages"
    - rhel9cis_rule_2_1_20
  tags:
    - level1-server
@ -704,8 +664,7 @@
    line: "inet_interfaces = loopback-only"
 - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface"
-  when:
+  when: rhel9cis_rule_2_1_22
    - rhel9cis_rule_2_1_22
  tags:
    - level1-server
    - level1-workstation
@ -717,8 +676,8 @@
  vars:
    warn_control_id: '2.1.22'
  block:
-    - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"
+    - name: "2.1.22 | AUDIT | Ensure only approved services are listening on a network interface | Get list of services"  # noqa command-instead-of-module
-      ansible.builtin.shell: systemctl list-units --type=service
+      ansible.builtin.command: systemctl list-units --type=service
      changed_when: false
      failed_when: discovered_running_services.rc not in [ 0, 1 ]
      check_mode: false
--- a/tasks/section_2/cis_2.2.x.yml
+++ b/tasks/section_2/cis_2.2.x.yml
@ -3,7 +3,6 @@
 - name: "2.2.1 | PATCH | Ensure ftp client is not installed"
  when:
    - not rhel9cis_ftp_client
    - "'ftp' in ansible_facts.packages"
    - rhel9cis_rule_2_2_1
  tags:
    - level1-server
@ -20,7 +19,6 @@
 - name: "2.2.2 | PATCH | Ensure ldap client is not installed"
  when:
    - not rhel9cis_openldap_clients_required
    - "'openldap-clients' in ansible_facts.packages"
    - rhel9cis_rule_2_2_2
  tags:
    - level2-server
@ -37,7 +35,6 @@
 - name: "2.2.3 | PATCH | Ensure nis client is not installed"
  when:
    - not rhel9cis_ypbind_required
    - "'ypbind' in ansible_facts.packages"
    - rhel9cis_rule_2_2_3
  tags:
    - level1-server
@ -54,7 +51,6 @@
 - name: "2.2.4 | PATCH | Ensure telnet client is not installed"
  when:
    - not rhel9cis_telnet_required
    - "'telnet' in ansible_facts.packages"
    - rhel9cis_rule_2_2_4
  tags:
    - level1-server
@ -71,7 +67,6 @@
 - name: "2.2.5 | PATCH | Ensure TFTP client is not installed"
  when:
    - not rhel9cis_tftp_client
    - "'tftp' in ansible_facts.packages"
    - rhel9cis_rule_2_2_5
  tags:
    - level1-server
--- a/tasks/section_2/cis_2.3.x.yml
+++ b/tasks/section_2/cis_2.3.x.yml
@ -31,7 +31,7 @@
    dest: /etc/chrony.conf
    owner: root
    group: root
-    mode: '0644'
+    mode: 'go-wx'
 - name: "2.3.3 | PATCH | Ensure chrony is not run as the root user"
  when:
@ -48,4 +48,4 @@
    line: OPTIONS="\1 -u chrony"
    create: true
    backrefs: true
-    mode: '0644'
+    mode: 'go-wx'
--- a/tasks/section_2/cis_2.4.x.yml
+++ b/tasks/section_2/cis_2.4.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "2.4.1.1 | PATCH | Ensure cron daemon is enabled"
-  when:
+  when: rhel9cis_rule_2_4_1_1
    - rhel9cis_rule_2_4_1_1
  tags:
    - level1-server
    - level1-workstation
@ -19,8 +18,7 @@
    enabled: true
 - name: "2.4.1.2 | PATCH | Ensure permissions on /etc/crontab are configured"
-  when:
+  when: rhel9cis_rule_2_4_1_2
    - rhel9cis_rule_2_4_1_2
  tags:
    - level1-server
    - level1-workstation
@ -33,11 +31,10 @@
    path: /etc/crontab
    owner: root
    group: root
-    mode: og-rwx
+    mode: 'og-rwx'
 - name: "2.4.1.3 | PATCH | Ensure permissions on /etc/cron.hourly are configured"
-  when:
+  when: rhel9cis_rule_2_4_1_3
    - rhel9cis_rule_2_4_1_3
  tags:
    - level1-server
    - level1-workstation
@ -51,11 +48,10 @@
    state: directory
    owner: root
    group: root
-    mode: og-rwx
+    mode: 'og-rwx'
 - name: "2.4.1.4 | PATCH | Ensure permissions on /etc/cron.daily are configured"
-  when:
+  when: rhel9cis_rule_2_4_1_4
    - rhel9cis_rule_2_4_1_4
  tags:
    - level1-server
    - level1-workstation
@ -67,11 +63,10 @@
    state: directory
    owner: root
    group: root
-    mode: og-rwx
+    mode: 'og-rwx'
 - name: "2.4.1.5 | PATCH | Ensure permissions on /etc/cron.weekly are configured"
-  when:
+  when: rhel9cis_rule_2_4_1_5
    - rhel9cis_rule_2_4_1_5
  tags:
    - level1-server
    - level1-workstation
@ -84,11 +79,10 @@
    state: directory
    owner: root
    group: root
-    mode: og-rwx
+    mode: 'og-rwx'
 - name: "2.4.1.6 | PATCH | Ensure permissions on /etc/cron.monthly are configured"
-  when:
+  when: rhel9cis_rule_2_4_1_6
    - rhel9cis_rule_2_4_1_6
  tags:
    - level1-server
    - level1-workstation
@ -101,11 +95,10 @@
    state: directory
    owner: root
    group: root
-    mode: og-rwx
+    mode: 'og-rwx'
 - name: "2.4.1.7 | PATCH | Ensure permissions on /etc/cron.d are configured"
-  when:
+  when: rhel9cis_rule_2_4_1_7
    - rhel9cis_rule_2_4_1_7
  tags:
    - level1-server
    - level1-workstation
@ -119,11 +112,10 @@
    state: directory
    owner: root
    group: root
-    mode: '0700'
+    mode: 'og-rwx'
 - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users"
-  when:
+  when: rhel9cis_rule_2_4_1_8
    - rhel9cis_rule_2_4_1_8
  tags:
    - level1-server
    - level1-workstation
@ -146,14 +138,13 @@
    - name: "2.4.1.8 | PATCH | Ensure crontab is restricted to authorized users | Ensure cron.allow is restricted to authorized users"
      ansible.builtin.file:
        path: /etc/cron.allow
-        state: '{{ "file" if  discovered_cron_allow_state.stat.exists else "touch" }}'
+        state: '{{ "file" if discovered_cron_allow_state.stat.exists else "touch" }}'
        owner: root
        group: root
-        mode: u-x,g-wx,o-rwx
+        mode: 'u-x,g-wx,o-rwx'
 - name: "2.4.2.1 | PATCH | Ensure at is restricted to authorized users"
-  when:
+  when: rhel9cis_rule_2_4_2_1
    - rhel9cis_rule_2_4_2_1
  tags:
    - level1-server
    - level1-workstation
@ -179,4 +170,4 @@
        state: '{{ "file" if discovered_at_allow_state.stat.exists else "touch" }}'
        owner: root
        group: root
-        mode: u-x,g-wx,o-rwx
+        mode: 'u-x,g-wx,o-rwx'
--- a/tasks/section_3/cis_3.1.x.yml
+++ b/tasks/section_3/cis_3.1.x.yml
@ -40,7 +40,7 @@
  block:
    - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Check for network-manager tool"
      when: "'network-manager' in ansible_facts.packages"
-      ansible.builtin.shell: nmcli radio wifi
+      ansible.builtin.command: nmcli radio wifi
      changed_when: false
      failed_when: false
      check_mode: false
@ -50,7 +50,7 @@
      when:
        - "'network-manager' in ansible_facts.packages"
        - "'enabled' in discovered_wifi_status.stdout"
-      ansible.builtin.shell: nmcli radio all off
+      ansible.builtin.command: nmcli radio all off
      changed_when: discovered_nmcli_radio_off.rc == 0
      register: discovered_nmcli_radio_off
@ -65,8 +65,7 @@
        file: warning_facts.yml
 - name: "3.1.3 | PATCH | Ensure bluetooth services are not in use"
-  when:
+  when: rhel9cis_rule_3_1_3
    - rhel9cis_rule_3_1_3
  tags:
    - level1-server
    - level2-workstation
--- a/tasks/section_3/cis_3.2.x.yml
+++ b/tasks/section_3/cis_3.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "3.2.1 | PATCH | Ensure dccp kernel module is not available"
-  when:
+  when: rhel9cis_rule_3_2_1
    - rhel9cis_rule_3_2_1
  tags:
    - level2-server
    - level2-workstation
@ -18,6 +17,7 @@
        regexp: '^(#)?install dccp(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'go-wx'
      loop:
        - install dccp /bin/true
        - blacklist dccp
@ -28,11 +28,10 @@
        regexp: "^(#)?blacklist cramfs(\\s|$)"
        line: "blacklist cramfs"
        create: true
-        mode: '0600'
+        mode: 'go-wx'
 - name: "3.2.2 | PATCH | Ensure tipc kernel module is not available"
-  when:
+  when: rhel9cis_rule_3_2_2
    - rhel9cis_rule_3_2_2
  tags:
    - level2-server
    - level2-workstation
@ -48,6 +47,7 @@
        regexp: '^(#)?install tipc(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'go-wx'
      loop:
        - install tipc /bin/true
        - blacklist tipc
@ -58,11 +58,10 @@
        regexp: "^(#)?blacklist tipc(\\s|$)"
        line: "blacklist tipc"
        create: true
-        mode: '0600'
+        mode: 'go-wx'
 - name: "3.2.3 | PATCH | Ensure rds kernel module is not available"
-  when:
+  when: rhel9cis_rule_3_2_3
    - rhel9cis_rule_3_2_3
  tags:
    - level2-server
    - level2-workstation
@ -78,6 +77,7 @@
        regexp: '^(#)?install rds(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'go-wx'
      loop:
        - install rds /bin/true
        - blacklist rds
@ -88,11 +88,10 @@
        regexp: "^(#)?blacklist rds(\\s|$)"
        line: "blacklist rds"
        create: true
-        mode: '0600'
+        mode: 'go-wx'
 - name: "3.2.4 | PATCH | Ensure sctp kernel module is not available"
-  when:
+  when: rhel9cis_rule_3_2_4
    - rhel9cis_rule_3_2_4
  tags:
    - level2-server
    - level2-workstation
@ -108,6 +107,7 @@
        regexp: '^(#)?install sctp(\\s|$)'
        line: "{{ item }}"
        create: true
        mode: 'go-wx'
      loop:
        - install sctp /bin/true
        - blacklist sctp
@ -118,4 +118,4 @@
        regexp: "^(#)?blacklist sctp(\\s|$)"
        line: "blacklist sctp"
        create: true
-        mode: '0600'
+        mode: 'go-wx'
--- a/tasks/section_3/cis_3.3.x.yml
+++ b/tasks/section_3/cis_3.3.x.yml
@ -61,8 +61,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.3 | PATCH | Ensure bogus ICMP responses are ignored"
-  when:
+  when: rhel9cis_rule_3_3_3
    - rhel9cis_rule_3_3_3
  tags:
    - level1-server
    - level1-workstation
@ -85,8 +84,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.4 | PATCH | Ensure broadcast ICMP requests are ignored"
-  when:
+  when: rhel9cis_rule_3_3_4
    - rhel9cis_rule_3_3_4
  tags:
    - level1-server
    - level1-workstation
@ -109,8 +107,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.5 | PATCH | Ensure ICMP redirects are not accepted"
-  when:
+  when: rhel9cis_rule_3_3_5
    - rhel9cis_rule_3_3_5
  tags:
    - level1-server
    - level1-workstation
@ -144,8 +141,7 @@
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.6 | PATCH | Ensure secure ICMP redirects are not accepted"
-  when:
+  when: rhel9cis_rule_3_3_6
    - rhel9cis_rule_3_3_6
  tags:
    - level1-server
    - level1-workstation
@ -179,8 +175,7 @@
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled"
-  when:
+  when: rhel9cis_rule_3_3_7
    - rhel9cis_rule_3_3_7
  tags:
    - level1-server
    - level1-workstation
@ -203,8 +198,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.8 | PATCH | Ensure source routed packets are not accepted"
-  when:
+  when: rhel9cis_rule_3_3_8
    - rhel9cis_rule_3_3_8
  tags:
    - level1-server
    - level1-workstation
@ -237,8 +231,7 @@
            msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv6_sysctl.conf"
 - name: "3.3.9 | PATCH | Ensure suspicious packets are logged"
-  when:
+  when: rhel9cis_rule_3_3_9
    - rhel9cis_rule_3_3_9
  tags:
    - level1-server
    - level1-workstation
@ -257,8 +250,7 @@
        msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf"
 - name: "3.3.10 | PATCH | Ensure TCP SYN Cookies is enabled"
-  when:
+  when: rhel9cis_rule_3_3_10
    - rhel9cis_rule_3_3_10
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_4/cis_4.1.x.yml
+++ b/tasks/section_4/cis_4.1.x.yml
@ -17,8 +17,7 @@
    state: present
 - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use"
-  when:
+  when: rhel9cis_rule_4_1_2
    - rhel9cis_rule_4_1_2
  tags:
    - level1-server
    - level1-workstation
@ -52,7 +51,7 @@
        name: "{{ rhel9cis_firewall }}"
        state: installed
-    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"
+    - name: "4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"  # noqa name[template]
      ansible.builtin.systemd:
        name: "{{ rhel9cis_firewall }}"
        enabled: true
--- a/tasks/section_4/cis_4.2.x.yml
+++ b/tasks/section_4/cis_4.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "4.2.1 | AUDIT | Ensure firewalld drops unnecessary services and ports"
-  when:
+  when: rhel9cis_rule_4_2_1
    - rhel9cis_rule_4_2_1
  tags:
    - level1-server
    - level1-workstation
@ -25,8 +24,7 @@
          - "{{ discovered_services_and_ports.stdout_lines }}"
 - name: "4.2.2 | PATCH | Ensure firewalld loopback traffic is configured | firewalld"
-  when:
+  when: rhel9cis_rule_4_2_2
    - rhel9cis_rule_4_2_2
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_4/cis_4.3.x.yml
+++ b/tasks/section_4/cis_4.3.x.yml
@ -8,11 +8,11 @@
    - rhel9cis_rule_4_3_3
    - rhel9cis_rule_4_3_4
  tags: always
-  ansible.builtin.shell: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
+  ansible.builtin.command: "nft add table inet {{ rhel9cis_nft_tables_tablename }}"
  changed_when: true
 - name: "4.3.1 | PATCH | Ensure nftables base chains exist"
-  when:
+  when: rhel9cis_rule_4_3_1
    - rhel9cis_rule_4_3_1
  tags:
    - level1-server
    - level1-workstation
@ -52,7 +52,8 @@
    - name: "4.3.1 | PATCH | Ensure nftables base chains exist | Create chains if needed"
      when: rhel9cis_nft_tables_autochaincreate
-      ansible.builtin.shell: "{{ item }}"
+      ansible.builtin.command: "{{ item }}"
      changed_when: true
      failed_when: false
      loop:
        - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" input { type filter hook input priority 0 \; }
@ -60,8 +61,7 @@
        - nft create chain inet "{{ rhel9cis_nft_tables_tablename }}" output { type filter hook output priority 0 \; }
 - name: "4.3.2 | PATCH | Ensure nftables established connections are configured"
-  when:
+  when: rhel9cis_rule_4_3_2
    - rhel9cis_rule_4_3_2
  tags:
    - level1-server
    - level1-workstation
@ -84,31 +84,36 @@
    - name: "4.3.2| PATCH | Ensure nftables established connections are configured | Add input tcp established accept policy"
      when: '"ip protocol tcp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
-      ansible.builtin.shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
+      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
      changed_when: true
    - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input udp established accept policy"
      when: '"ip protocol udp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
      changed_when: true
    - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add input icmp established accept policy"
      when: '"ip protocol icmp ct state established accept" not in discovered_nftables_inconnectionrule.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
      changed_when: true
    - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output tcp new, related, established accept policy"
      when: '"ip protocol tcp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
      changed_when: true
    - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output udp new, related, established accept policy"
      when: '"ip protocol udp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
      changed_when: true
    - name: "4.3.2 | PATCH | Ensure nftables established connections are configured | Add output icmp new, related, established accept policy"
      when: '"ip protocol icmp ct state established,related,new accept" not in discovered_nftables_outconnectionrule.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
      changed_when: true
 - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy"
-  when:
+  when: rhel9cis_rule_4_3_3
    - rhel9cis_rule_4_3_3
  tags:
    - level1-server
    - level1-workstation
@ -144,22 +149,25 @@
    - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
      when: '"tcp dport ssh accept" not in discovered_nftables_sshallowcheck.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
      changed_when: true
    - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
      when: '"type filter hook input priority 0; policy drop;" not in discovered_nftables_inputpolicy.stdout'
      ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
      changed_when: true
    - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
      when: '"type filter hook forward priority 0; policy drop;" not in discovered_nftables_forwardpolicy.stdout'
      ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
      changed_when: true
    - name: "4.3.3 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
      when: '"type filter hook output priority 0; policy drop;" not in discovered_nftables_outputpolicy.stdout'
      ansible.builtin.command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
      changed_when: true
 - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured"
-  when:
+  when: rhel9cis_rule_4_3_4
    - rhel9cis_rule_4_3_4
  tags:
    - level1-server
    - level1-workstation
@ -189,11 +197,14 @@
    - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule | nftables"
      when: '"iif \"lo\" accept" not in discovered_nftables_iiflo.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
      changed_when: true
    - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule | nftables"
      when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in discovered_nftables_ipsaddr.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
      changed_when: true
    - name: "4.3.4 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule | nftables"
      when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in discovered_nftables_ip6saddr.stdout'
      ansible.builtin.command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
      changed_when: true
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
-  when:
+  when: rhel9cis_rule_5_1_1
    - rhel9cis_rule_5_1_1
  tags:
    - level1-server
    - level1-workstation
@ -16,11 +15,10 @@
    path: "/etc/ssh/sshd_config"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'
 - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
-  when:
+  when: rhel9cis_rule_5_1_2
    - rhel9cis_rule_5_1_2
  tags:
    - level1-server
    - level1-workstation
@ -50,8 +48,7 @@
        label: "{{ item.path }}"
 - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
-  when:
+  when: rhel9cis_rule_5_1_3
    - rhel9cis_rule_5_1_3
  tags:
    - level1-server
    - level1-workstation
@ -98,7 +95,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -126,7 +123,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -154,7 +151,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -164,8 +161,7 @@
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"
 - name: "5.1.7 | PATCH | Ensure sshd access is configured"
-  when:
+  when: rhel9cis_rule_5_1_7
    - rhel9cis_rule_5_1_7
  tags:
    - level1-server
    - level1-workstation
@ -212,8 +208,7 @@
      notify: Restart sshd
 - name: "5.1.8 | PATCH | Ensure sshd Banner is configured"
-  when:
+  when: rhel9cis_rule_5_1_8
    - rhel9cis_rule_5_1_8
  tags:
    - level1-server
    - level1-workstation
@ -231,8 +226,7 @@
    line: 'Banner /etc/issue.net'
 - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
-  when:
+  when: rhel9cis_rule_5_1_9
    - rhel9cis_rule_5_1_9
  tags:
    - level1-server
    - level1-workstation
@ -262,8 +256,7 @@
      notify: Restart sshd
 - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
-  when:
+  when: rhel9cis_rule_5_1_10
    - rhel9cis_rule_5_1_10
  tags:
    - level2-server
    - level1-workstation
@ -289,8 +282,7 @@
      notify: Restart sshd
 - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
-  when:
+  when: rhel9cis_rule_5_1_11
    - rhel9cis_rule_5_1_11
  tags:
    - level1-server
    - level1-workstation
@ -320,8 +312,7 @@
      notify: Restart sshd
 - name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
-  when:
+  when: rhel9cis_rule_5_1_12
    - rhel9cis_rule_5_1_12
  tags:
    - level1-server
    - level1-workstation
@ -341,8 +332,7 @@
  notify: Restart sshd
 - name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
-  when:
+  when: rhel9cis_rule_5_1_13
    - rhel9cis_rule_5_1_13
  tags:
    - level1-server
    - level1-workstation
@ -362,8 +352,7 @@
  notify: Restart sshd
 - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
-  when:
+  when: rhel9cis_rule_5_1_14
    - rhel9cis_rule_5_1_14
  tags:
    - level1-server
    - level1-workstation
@ -379,8 +368,7 @@
  notify: Restart sshd
 - name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
-  when:
+  when: rhel9cis_rule_5_1_15
    - rhel9cis_rule_5_1_15
  tags:
    - level1-server
    - level1-workstation
@ -398,8 +386,7 @@
  notify: Restart sshd
 - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
-  when:
+  when: rhel9cis_rule_5_1_16
    - rhel9cis_rule_5_1_16
  tags:
    - level1-server
    - level1-workstation
@ -415,8 +402,7 @@
  notify: Restart sshd
 - name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
-  when:
+  when: rhel9cis_rule_5_1_17
    - rhel9cis_rule_5_1_17
  tags:
    - level1-server
    - level1-workstation
@ -436,8 +422,7 @@
  notify: Restart sshd
 - name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
-  when:
+  when: rhel9cis_rule_5_1_18
    - rhel9cis_rule_5_1_18
  tags:
    - level1-server
    - level1-workstation
@ -457,8 +442,7 @@
  notify: Restart sshd
 - name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
-  when:
+  when: rhel9cis_rule_5_1_19
    - rhel9cis_rule_5_1_19
  tags:
    - level1-server
    - level1-workstation
@ -478,8 +462,7 @@
  notify: Restart sshd
 - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
-  when:
+  when: rhel9cis_rule_5_1_20
    - rhel9cis_rule_5_1_20
  tags:
    - level1-server
    - level1-workstation
@ -503,8 +486,7 @@
      notify: Restart sshd
 - name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
-  when:
+  when: rhel9cis_rule_5_1_21
    - rhel9cis_rule_5_1_21
  tags:
    - level1-server
    - level1-workstation
@ -524,8 +506,7 @@
  notify: Restart sshd
 - name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
-  when:
+  when: rhel9cis_rule_5_1_22
    - rhel9cis_rule_5_1_22
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.2.1 | PATCH | Ensure sudo is installed"
-  when:
+  when: rhel9cis_rule_5_2_1
    - rhel9cis_rule_5_2_1
  tags:
    - level1-server
    - level1-workstation
@ -15,8 +14,7 @@
    state: present
 - name: "5.2.2 | PATCH | Ensure sudo commands use pty"
-  when:
+  when: rhel9cis_rule_5_2_2
    - rhel9cis_rule_5_2_2
  tags:
    - level1-server
    - level1-workstation
@ -30,8 +28,7 @@
    validate: '/usr/sbin/visudo -cf %s'
 - name: "5.2.3 | PATCH | Ensure sudo log file exists"
-  when:
+  when: rhel9cis_rule_5_2_3
    - rhel9cis_rule_5_2_3
  tags:
    - level1-server
    - level1-workstation
@ -47,8 +44,7 @@
    validate: '/usr/sbin/visudo -cf %s'
 - name: "5.2.4 | PATCH | Ensure users must provide password for escalation"
-  when:
+  when: rhel9cis_rule_5_2_4
    - rhel9cis_rule_5_2_4
  tags:
    - level2-server
    - level2-workstation
@ -74,8 +70,7 @@
      loop: "{{ discovered_nopasswd_sudoers.stdout_lines }}"
 - name: "5.2.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
-  when:
+  when: rhel9cis_rule_5_2_5
    - rhel9cis_rule_5_2_5
  tags:
    - level1-server
    - level1-workstation
@ -101,8 +96,7 @@
      loop: "{{ discovered_priv_reauth.stdout_lines }}"
 - name: "5.2.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
-  when:
+  when: rhel9cis_rule_5_2_6
    - rhel9cis_rule_5_2_6
  tags:
    - level1-server
    - level1-workstation
@ -134,8 +128,7 @@
      loop: "{{ discovered_sudo_timeout_files.stdout_lines }}"
 - name: "5.2.7 | PATCH | Ensure access to the su command is restricted"
-  when:
+  when: rhel9cis_rule_5_2_7
    - rhel9cis_rule_5_2_7
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_5/cis_5.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.2.x.yml
@ -17,12 +17,13 @@
      when:
        - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
          prelim_authselect_current_profile.stdout is not defined
-      ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
+      ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
      changed_when: true
      args:
        creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"
    - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features"
-      ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
+      ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
      changed_when: false
      register: discovered_authselect_profile_features
@ -37,7 +38,8 @@
        - password
    - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules"
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
      changed_when: true
 - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
  when:
@ -64,9 +66,11 @@
      failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
      register: discovered_authselect_current_faillock
-    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
+    - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"  # noqa syntax-check[specific]"
      when: discovered_authselect_current_faillock.rc != 0
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
      changed_when: true
      notify: Authselect update
 - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
  when:
@ -90,7 +94,8 @@
    - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
      when: discovered_authselect_current_quality.rc != 0
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
      changed_when: true
      notify: Authselect update
 - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@ -115,7 +120,8 @@
    - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
      when: discovered_authselect_current_history.rc != 0
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
      changed_when: true
      notify: Authselect update
 - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled"
@ -133,8 +139,7 @@
    - rule_5.3.2.5
  block:
    - name: "5.3.2.5 | AUDIT | Ensure pam_unix module is enabled"
-      ansible.builtin.shell: |
+      ansible.builtin.command: grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
        grep -P -- '\b(pam_unix\.so)\b' /etc/authselect/"$(head -1 /etc/authselect/authselect.conf)"/{system,password}-auth
      changed_when: false
      failed_when: discovered_discovered_authselect_pam_unix.rc not in [ 0, 1 ]
      register: discovered_discovered_authselect_pam_unix
@ -142,12 +147,12 @@
    - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
      when: "'system-auth:password' not in discovered_authselect_pam_unix.stdout"
      ansible.builtin.lineinfile:
-        path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/system-auth
+        path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/system-auth
        regexp: "{{ item.regexp }}"
        line: "{{ item.line }}"
        backrefs: true
-        insertafter: "{{ item.after | default (omit) }}"
+        insertafter: "{{ item.after | default(omit) }}"
-        insertbefore: "{{ item.before | default (omit) }}"
+        insertbefore: "{{ item.before | default(omit) }}"
        loop:
          - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' }
          - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
@ -156,12 +161,12 @@
    - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | password-auth"
      when: "'password-auth:password' not in discovered_authselect_pam_unix.stdout"
      ansible.builtin.lineinfile:
-        path: /etc/authselect/custom/{{ rhel9cis_authselect['custom_profile_name'] }}/password-auth
+        path: /etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/password-auth
        line: "{{ item.line }}"
        regexp: "{{ item.regexp }}"
        backrefs: true
-        insertafter: "{{ item.after | default (omit) }}"
+        insertafter: "{{ item.after | default(omit) }}"
-        insertbefore: "{{ item.before | default (omit) }}"
+        insertbefore: "{{ item.before | default(omit) }}"
        loop:
          - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' }
          - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
--- a/tasks/section_5/cis_5.3.3.1.x.yml
+++ b/tasks/section_5/cis_5.3.3.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.3.3.1.1 | PATCH | Ensure password failed attempts lockout is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_1_1
    - rhel9cis_rule_5_3_3_1_1
  tags:
    - level1-server
    - level1-workstation
@ -44,8 +43,7 @@
      notify: Authselect update
 - name: "5.3.3.1.2 | PATCH | Ensure password unlock time is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_1_2
    - rhel9cis_rule_5_3_3_1_2
  tags:
    - level1-server
    - level1-workstation
@ -87,8 +85,7 @@
      notify: Authselect update
 - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account"
-  when:
+  when: rhel9cis_rule_5_3_3_1_3
    - rhel9cis_rule_5_3_3_1_3
  tags:
    - level1-server
    - level1-workstation
@ -104,6 +101,7 @@
        line: "{{ rhel9cis_pamroot_lock_option }}"
        insertafter: '^# end of pam-auth-update config'
        create: true
        mode: 'go-rwx'
    - name: "5.3.3.1.3 | PATCH | Ensure password failed attempts lockout includes root account | remove lockout from pam files NOT AuthSelect"
      when:
--- a/tasks/section_5/cis_5.3.3.2.x.yml
+++ b/tasks/section_5/cis_5.3.3.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_2_1
    - rhel9cis_rule_5_3_3_2_1
  tags:
    - level1-server
    - level1-workstation
@ -30,7 +29,7 @@
        dest: "/{{ rhel9cis_passwd_difok_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "5.3.3.2.1 | PATCH | Ensure password number of changed characters is configured | Remove difok from pam files Not AuthSelect"
      when:
@ -58,8 +57,7 @@
      notify: Authselect update
 - name: "5.3.3.2.2 | PATCH | Ensure password length is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_2_2
    - rhel9cis_rule_5_3_3_2_2
  tags:
    - level1-server
    - level1-workstation
@ -87,7 +85,7 @@
        dest: "/{{ rhel9cis_passwd_minlen_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "5.3.3.2.2 | PATCH | Ensure minimum password length is configured | Remove minlen from pam files NOT AuthSelect"
      when:
@ -115,8 +113,7 @@
      notify: Authselect update
 - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_2_3
    - rhel9cis_rule_5_3_3_2_3
  tags:
    - level1-server
    - level1-workstation
@ -144,7 +141,7 @@
        dest: "/{{ rhel9cis_passwd_complex_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "5.3.3.2.3 | PATCH | Ensure password complexity is configured | Remove complexity from pam files NOT AuthSelect"
      when:
@ -172,8 +169,7 @@
      notify: Authselect update
 - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_2_4
    - rhel9cis_rule_5_3_3_2_4
  tags:
    - level1-server
    - level1-workstation
@ -183,8 +179,7 @@
    - pam
  block:
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat settings from conf files except expected file"
-      when:
+      when: item != rhel9cis_passwd_maxrepeat_file
        - item != rhel9cis_passwd_maxrepeat_file
      ansible.builtin.replace:
        path: "{{ item }}"
        regexp: 'maxrepeat\s*=\s*\d+\b'
@ -200,7 +195,7 @@
        dest: "/{{ rhel9cis_passwd_maxrepeat_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "5.3.3.2.4 | PATCH | Ensure password same consecutive characters is configured | Remove maxrepeat from pam files NOT AuthSelect"
      when:
@ -228,8 +223,7 @@
      notify: Authselect update
 - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_2_5
    - rhel9cis_rule_5_3_3_2_5
  tags:
    - level1-server
    - level1-workstation
@ -257,7 +251,7 @@
        dest: "/{{ rhel9cis_passwd_maxsequence_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "5.3.3.2.5 | PATCH | Ensure password maximum sequential characters is configured | Remove maxsequence from pam files NOT AuthSelect"
      when:
@ -285,8 +279,7 @@
      notify: Authselect update
 - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled"
-  when:
+  when: rhel9cis_rule_5_3_3_2_6
    - rhel9cis_rule_5_3_3_2_6
  tags:
    - level1-server
    - level1-workstation
@ -313,7 +306,7 @@
        dest: "/{{ rhel9cis_passwd_dictcheck_file }}"
        owner: root
        group: root
-        mode: '0600'
+        mode: 'go-rwx'
    - name: "5.3.3.2.6 | PATCH | Ensure password dictionary check is enabled | Remove dictcheck from pam files NOT AuthSelect"
      when:
@ -342,8 +335,7 @@
      notify: Authselect update
 - name: "5.3.3.2.7 | PATCH | Ensure password quality is enforced for the root user"
-  when:
+  when: rhel9cis_rule_5_3_3_2_7
    - rhel9cis_rule_5_3_3_2_7
  tags:
    - level1-server
    - level1-workstation
@ -356,4 +348,4 @@
    dest: "/{{ rhel9cis_passwd_quality_enforce_root_file }}"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'o-rwx'
--- a/tasks/section_5/cis_5.3.3.3.x.yml
+++ b/tasks/section_5/cis_5.3.3.3.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.3.3.3.1 | PATCH | Ensure password history remember is configured"
-  when:
+  when: rhel9cis_rule_5_3_3_3_1
    - rhel9cis_rule_5_3_3_3_1
  tags:
    - level1-server
    - level1-workstation
@ -48,8 +47,7 @@
      notify: Authselect update
 - name: "5.3.3.3.2 | PATCH | Ensure password history is enforced for the root user"
-  when:
+  when: rhel9cis_rule_5_3_3_3_2
    - rhel9cis_rule_5_3_3_3_2
  tags:
    - level1-server
    - level1-workstation
@ -95,8 +93,7 @@
      notify: Authselect update
 - name: "5.3.3.3.3 | PATCH | Ensure pam_pwhistory includes use_authtok"
-  when:
+  when: rhel9cis_rule_5_3_3_3_3
    - rhel9cis_rule_5_3_3_3_3
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_5/cis_5.3.3.4.x.yml
+++ b/tasks/section_5/cis_5.3.3.4.x.yml
@ -28,8 +28,7 @@
      loop: "{{ discovered_pam_nullok.stdout_lines }}"
    - name: "5.3.3.4.1 | PATCH | Ensure password number of changed characters is configured | Remove nullok from pam files AuthSelect"
-      when:
+      when: rhel9cis_allow_authselect_updates
        - rhel9cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\snullok(.*$)
@ -67,8 +66,7 @@
      loop: "{{ discovered_pam_remember.stdout_lines }}"
    - name: "5.3.3.4.2 | PATCH | Ensure pam_unix does not include remember  | Remove remember from pam files AuthSelect"
-      when:
+      when: rhel9cis_allow_authselect_updates
        - rhel9cis_allow_authselect_updates
      ansible.builtin.replace:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)\sremember\s*=\s*=\d*(.*$)
@ -107,8 +105,7 @@
      loop: "{{ discovered_pam_remember.stdout_lines }}"
    - name: "5.3.3.4.3 | PATCH | Ensure pam_unix includes a strong password hashing algorithm | Add hash algorithm to pam files AuthSelect"
-      when:
+      when: rhel9cis_allow_authselect_updates
        - rhel9cis_allow_authselect_updates
      ansible.builtin.lineinfile:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)(sha512|yescrypt)(.*$)
@ -150,8 +147,7 @@
      loop: "{{ discovered_pam_authtok.stdout_lines }}"
    - name: "5.3.3.4.4 | PATCH | Ensure pam_unix includes use_authtok | Add use_authtok pam files AuthSelect"
-      when:
+      when: rhel9cis_allow_authselect_updates
        - rhel9cis_allow_authselect_updates
      ansible.builtin.lineinfile:
        path: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}/{{ item }}-auth"
        regexp: ^(\s*password\s+)(requisite|required|sufficient)(\s+pam_unix.so\s)(.*)use_authtok(.*$)
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  when:
+  when: rhel9cis_rule_5_4_1_1
    - rhel9cis_rule_5_4_1_1
  tags:
    - level1-server
    - level1-workstation
@ -38,8 +37,7 @@
      loop: "{{ discovered_max_days.stdout_lines }}"
 - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
-  when:
+  when: rhel9cis_rule_5_4_1_2
    - rhel9cis_rule_5_4_1_2
  tags:
    - level1-server
    - level1-workstation
@ -70,8 +68,7 @@
      loop: "{{ discovered_min_days.stdout_lines }}"
 - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
-  when:
+  when: rhel9cis_rule_5_4_1_3
    - rhel9cis_rule_5_4_1_3
  tags:
    - level1-server
    - level1-workstation
@ -96,12 +93,12 @@
        - discovered_warn_days.stdout_lines | length > 0
        - item in prelim_interactive_usernames.stdout
        - rhel9cis_force_user_warnage
-      ansible.builtin.shell: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
+      ansible.builtin.command: "chage --warndays {{ rhel9cis_pass['warn_age'] }} {{ item }}"
      changed_when: true
      loop: "{{ discovered_warn_days.stdout_lines }}"
 - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
-  when:
+  when: rhel9cis_rule_5_4_1_4
    - rhel9cis_rule_5_4_1_4
  tags:
    - level1-server
    - level1-workstation
@ -115,8 +112,7 @@
    line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}'
 - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured"
-  when:
+  when: rhel9cis_rule_5_4_1_5
    - rhel9cis_rule_5_4_1_5
  tags:
    - level1-server
    - level1-workstation
@ -132,23 +128,24 @@
      register: discovered_passwdlck_inactive_settings
    - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured | Set default inactive setting"
-      ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
+      ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
      changed_when: true
      when: discovered_passwdlck_inactive_settings.stdout | length == 0
    - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
-      ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
+      ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
      changed_when: false
      check_mode: false
      register: discovered_passwdlck_user_list
    - name: "5.4.1.5 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
      when: item in prelim_interactive_usernames.stdout
-      ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
+      ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
      changed_when: true
      loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"
 - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
-  when:
+  when: rhel9cis_rule_5_4_1_6
    - rhel9cis_rule_5_4_1_6
  tags:
    - level1-server
    - level1-workstation
@ -172,22 +169,23 @@
      register: discovered_passwdlck_user_future
    - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | Alert on accounts with pw change in the future"
      when:
        - discovered_passwdlck_user_future.stdout | length > 0
        - not rhel9cis_futurepwchgdate_autofix
      ansible.builtin.debug:
        msg: "Warning!! The following accounts have the last PW change date in the future: {{ discovered_passwdlck_user_future.stdout_lines }}"
      when:
        - discovered_passwdlck_user_future.stdout | length > 0
        - not rhel9cis_futurepwchgdate_autofix
    - name: "5.4.1.6 | AUDIT | Ensure all users last password change date is in the past | warning count"
      ansible.builtin.import_tasks:
        file: warning_facts.yml
      when:
        - discovered_passwdlck_user_future.stdout | length > 0
        - not rhel9cis_futurepwchgdate_autofix
      ansible.builtin.import_tasks:
        file: warning_facts.yml
    - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
      ansible.builtin.shell: passwd --expire {{ item }}
      when:
        - discovered_passwdlck_user_future.stdout | length > 0
        - rhel9cis_futurepwchgdate_autofix
      ansible.builtin.command: passwd --expire {{ item }}
      changed_when: true
      loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"
--- a/tasks/section_5/cis_5.4.2.x.yml
+++ b/tasks/section_5/cis_5.4.2.x.yml
@ -17,7 +17,7 @@
    - NIST800-53R5_CM-6
    - NIST800-53R5_CM-7
    - NIST800-53R5_IA-5
-  ansible.builtin.shell: passwd -l {{ item }}
+  ansible.builtin.command: passwd -l {{ item }}
  changed_when: false
  failed_when: false
  loop: "{{ prelim_uid_zero_accounts_except_root.stdout_lines }}"
@ -56,8 +56,7 @@
      loop: "{{ discovered_gid0_members.stdout_lines }}"
 - name: "5.4.2.3 | AUDIT | Ensure group root is the only GID 0 group"
-  when:
+  when: rhel9cis_rule_5_4_2_3
    - rhel9cis_rule_5_4_2_3
  tags:
    - level1-server
    - level1-workstation
@ -96,8 +95,7 @@
        warn_control_id: '5.4.2.3'
 - name: "5.4.2.4 | PATCH | Ensure root account access is controlled "
-  when:
+  when: rhel9cis_rule_5_4_2_4
    - rhel9cis_rule_5_4_2_4
  tags:
    - level1-server
    - level1-workstation
@ -108,8 +106,7 @@
    msg: "This is set as an assert in tasks/main"
 - name: "5.4.2.5 | PATCH | Ensure root PATH Integrity"
-  when:
+  when: rhel9cis_rule_5_4_2_5
    - rhel9cis_rule_5_4_2_5
  tags:
    - level1-server
    - level1-workstation
@ -172,15 +169,14 @@
            state: directory
            owner: root
            group: root
-            mode: '0755'
+            mode: 'go-w'
            follow: false
          loop: "{{ discovered_root_path_perms.results }}"
          loop_control:
            label: "{{ item }}"
 - name: "5.4.2.6 | PATCH | Ensure root user umask is configured"
-  when:
+  when: rhel9cis_rule_5_4_2_6
    - rhel9cis_rule_5_4_2_6
  tags:
    - level1-server
    - level1-workstation
@ -194,6 +190,9 @@
    regexp: \s*umask
    line: "umask {{ rhel9cis_root_umask }}"
    create: true
    owner: root
    group: root
    mode: 'go-rwx'
 - name: "5.4.2.7 | PATCH | Ensure system accounts do not have a valid login shell"
  when:
--- a/tasks/section_5/cis_5.4.3.x.yml
+++ b/tasks/section_5/cis_5.4.3.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "5.4.3.1 | PATCH | Ensure nologin is not listed in /etc/shells"
-  when:
+  when: rhel9cis_rule_5_4_3_1
    - rhel9cis_rule_5_4_3_1
  tags:
    - level2-server
    - level2-workstation
@ -20,8 +19,7 @@
    replace: ""
 - name: "5.4.3.2 | PATCH | Ensure default user shell timeout is configured"
-  when:
+  when: rhel9cis_rule_5_4_3_2
    - rhel9cis_rule_5_4_3_2
  tags:
    - level1-server
    - level1-workstation
@ -33,7 +31,7 @@
    state: "{{ item.state }}"
    marker: "# {mark} - CIS benchmark - Ansible-lockdown"
    create: true
-    mode: '0644'
+    mode: 'go-wx'
    block: |
      TMOUT={{ rhel9cis_shell_session_timeout }}
      readonly TMOUT
@ -43,8 +41,7 @@
    - { path: /etc/profile, state: "{{ (rhel9cis_shell_session_file == '/etc/profile') | ternary('present', 'absent') }}" }
 - name: "5.4.3.3 | PATCH | Ensure default user umask is configured"
-  when:
+  when: rhel9cis_rule_5_4_3_3
    - rhel9cis_rule_5_4_3_3
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -19,10 +19,11 @@
      register: discovered_aide_installed
    - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
-      when: discovered_aide_installed.changed  # noqa: no-handler
+      when: discovered_aide_installed.changed  # noqa no-handler
      block:
        - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB"
-          ansible.builtin.shell: /usr/sbin/aide --init
+          ansible.builtin.command: /usr/sbin/aide --init
          changed_when: true
        - name: "6.1.1 | PATCH | Ensure AIDE is installed| Build AIDE DB | Wait for file before continuing"
          ansible.builtin.wait_for:
@ -33,6 +34,7 @@
            src: /var/lib/aide/aide.db.new.gz
            dest: /var/lib/aide/aide.db.gz
            remote_src: true
            mode: 'go-wx'
 - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
  when:
@ -62,15 +64,15 @@
    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
      when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
        name: aidecheck.service
        enabled: true
    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
      when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
        name: aidecheck.timer
-        state: running
+        state: started
        enabled: true
 - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
--- a/tasks/section_6/cis_6.2.1.x.yml
+++ b/tasks/section_6/cis_6.2.1.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.2.1.1 | PATCH | Ensure journald service is enabled and active"
-  when:
+  when: rhel9cis_rule_6_2_1_1
    - rhel9cis_rule_6_2_1_1
  tags:
    - level1-server
    - level1-workstation
@ -15,8 +14,7 @@
    state: started
 - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured"
-  when:
+  when: rhel9cis_rule_6_2_1_2
    - rhel9cis_rule_6_2_1_2
  tags:
    - level1-server
    - level1-workstation
@ -27,7 +25,7 @@
    - name: "6.2.1.2 | PATCH | Ensure journald log file access is configured | Default file permissions"
      ansible.builtin.file:
        path: /usr/lib/tmpfiles.d/systemd.conf
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.2.1.2 | AUDIT | Ensure journald log file access is configured | Check for override file"
      ansible.builtin.stat:
@ -58,8 +56,7 @@
        warn_control_id: '6.2.1.2'
 - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured"
-  when:
+  when: rhel9cis_rule_6_2_1_3
    - rhel9cis_rule_6_2_1_3
  tags:
    - level1-server
    - level1-workstation
@ -74,7 +71,7 @@
        dest: /etc/systemd/journald.conf.d/rotation.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.2.1.3 | PATCH | Ensure journald log file rotation is configured | comment out current entries"
      ansible.builtin.replace:
@ -89,8 +86,7 @@
        - '^(\s*MaxFileSec\s*=.*)'
 - name: "6.2.1.4 | PATCH | Ensure only one logging system is in use"
-  when:
+  when: rhel9cis_rule_6_2_1_4
    - rhel9cis_rule_6_2_1_4
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.2.2.x.yml
+++ b/tasks/section_6/cis_6.2.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled"
-  when:
+  when: rhel9cis_rule_6_2_2_2
    - rhel9cis_rule_6_2_2_2
  tags:
    - level1-server
    - level2-workstation
@ -21,7 +20,7 @@
        dest: /etc/systemd/journald.conf.d/forwardtosyslog.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.2.2.2 | PATCH | Ensure journald ForwardToSyslog is disabled | comment out current entries"
      ansible.builtin.replace:
@ -30,8 +29,7 @@
        replace: '#\1'
 - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured"
-  when:
+  when: rhel9cis_rule_6_2_2_3
    - rhel9cis_rule_6_2_2_3
  tags:
    - level1-server
    - level1-workstation
@ -47,7 +45,7 @@
        dest: /etc/systemd/journald.conf.d/storage.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.2.2.3 | PATCH | Ensure journald Compress is configured | comment out current entries"
      ansible.builtin.replace:
@ -56,8 +54,7 @@
        replace: '#\1'
 - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured"
-  when:
+  when: rhel9cis_rule_6_2_2_4
    - rhel9cis_rule_6_2_2_4
  tags:
    - level1-server
    - level1-workstation
@ -74,7 +71,7 @@
        dest: /etc/systemd/journald.conf.d/storage.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
    - name: "6.2.2.4 | PATCH | Ensure journald Storage is configured | comment out current entries"
      ansible.builtin.replace:
--- a/tasks/section_6/cis_6.2.3.x.yml
+++ b/tasks/section_6/cis_6.2.3.x.yml
@ -18,8 +18,7 @@
    state: present
 - name: "6.2.3.2 | PATCH | Ensure rsyslog Service is enabled and active"
-  when:
+  when: rhel9cis_rule_6_2_3_2
    - rhel9cis_rule_6_2_3_2
  tags:
    - level1-server
    - level1-workstation
@ -35,8 +34,7 @@
    state: started
 - name: "6.2.3.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
-  when:
+  when: rhel9cis_rule_6_2_3_3
    - rhel9cis_rule_6_2_3_3
  tags:
    - level1-server
    - level1-workstation
@ -54,8 +52,7 @@
  notify: Restart rsyslog
 - name: "6.2.3.4 | PATCH | Ensure rsyslog log file creation mode is configured"
-  when:
+  when: rhel9cis_rule_6_2_3_4
    - rhel9cis_rule_6_2_3_4
  tags:
    - level1-server
    - level1-workstation
@ -72,8 +69,7 @@
  notify: Restart rsyslog
 - name: "6.2.3.5 | PATCH | Ensure logging is configured"
-  when:
+  when: rhel9cis_rule_6_2_3_5
    - rhel9cis_rule_6_2_3_5
  tags:
    - level1-server
    - level1-workstation
@ -200,8 +196,7 @@
  notify: Restart rsyslog
 - name: "6.2.3.7 | PATCH | Ensure rsyslog is not configured to recieve logs from a remote client"
-  when:
+  when: rhel9cis_rule_6_2_3_7
    - rhel9cis_rule_6_2_3_7
  tags:
    - level1-server
    - level1-workstation
@ -238,8 +233,7 @@
        - 'InputTCPServerRun'
 - name: "6.2.3.8 | PATCH | Ensure rsyslog logrotate is configured"
-  when:
+  when: rhel9cis_rule_6_2_3_8
    - rhel9cis_rule_6_2_3_8
  tags:
    - level1-server
    - level1-workstation
@ -266,4 +260,4 @@
        dest: /etc/logrotate.d/rsyslog.conf
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
--- a/tasks/section_6/cis_6.2.4.1.yml
+++ b/tasks/section_6/cis_6.2.4.1.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.2.4.1 | PATCH | Ensure access to all logfiles has been configured"
-  when:
+  when: rhel9cis_rule_6_2_4_1
    - rhel9cis_rule_6_2_4_1
  tags:
    - level1-server
    - level1-workstation
--- a/tasks/section_6/cis_6.3.1.x.yml
+++ b/tasks/section_6/cis_6.3.1.x.yml
@ -27,8 +27,7 @@
        state: present
 - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
-  when:
+  when: rhel9cis_rule_6_3_1_2
    - rhel9cis_rule_6_3_1_2
  tags:
    - level2-server
    - level2-workstation
@ -49,11 +48,11 @@
        - discovered_grubby_curr_value_audit_linux.stdout == '' or
          '0' in discovered_grubby_curr_value_audit_linux.stdout or
          'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
-      ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
      changed_when: true
 - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
-  when:
+  when: rhel9cis_rule_6_3_1_3
    - rhel9cis_rule_6_3_1_3
  tags:
    - level2-server
    - level2-workstation
@ -81,21 +80,18 @@
        discovered_reset_backlog_limits: true
    - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
-      when:
+      when: (item | int < rhel9cis_audit_back_log_limit)
        - (item | int < rhel9cis_audit_back_log_limit)
      ansible.builtin.set_fact:
        discovered_reset_backlog_limits: true
      loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"
    - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
-      when:
+      when: discovered_reset_backlog_limits is defined
-        - discovered_reset_backlog_limits is defined
+      ansible.builtin.command: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
-      ansible.builtin.shell:
+      changed_when: true
        cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
 - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
-  when:
+  when: rhel9cis_rule_6_3_1_4
    - rhel9cis_rule_6_3_1_4
  tags:
    - level2-server
    - level2-workstation
--- a/tasks/section_6/cis_6.3.2.x.yml
+++ b/tasks/section_6/cis_6.3.2.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.3.2.1 | PATCH | Ensure audit log storage size is configured"
-  when:
+  when: rhel9cis_rule_6_3_2_1
    - rhel9cis_rule_6_3_2_1
  tags:
    - level2-server
    - level2-workstation
@ -17,8 +16,7 @@
  notify: Restart auditd
 - name: "6.3.2.2 | PATCH | Ensure audit logs are not automatically deleted"
-  when:
+  when: rhel9cis_rule_6_3_2_2
    - rhel9cis_rule_6_3_2_2
  tags:
    - level2-server
    - level2-workstation
@ -33,8 +31,7 @@
  notify: Restart auditd
 - name: "6.3.2.3 | PATCH | Ensure system is disabled when audit logs are full"
-  when:
+  when: rhel9cis_rule_6_3_2_3
    - rhel9cis_rule_6_3_2_3
  tags:
    - level2-server
    - level2-workstation
@ -55,8 +52,7 @@
    - { regexp: '^disk_error_action', line: 'disk_error_action = {{ rhel9cis_auditd_disk_error_action }}' }
 - name: "6.3.2.4 | PATCH | Ensure system warns when audit logs are low on space"
-  when:
+  when: rhel9cis_rule_6_3_2_4
    - rhel9cis_rule_6_3_2_4
  tags:
    - level2-server
    - level2-workstation
--- a/tasks/section_6/cis_6.3.3.x.yml
+++ b/tasks/section_6/cis_6.3.3.x.yml
@ -2,8 +2,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
-  when:
+  when: rhel9cis_rule_6_3_3_1
    - rhel9cis_rule_6_3_3_1
  tags:
    - level2-server
    - level2-workstation
@ -16,8 +15,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged"
-  when:
+  when: rhel9cis_rule_6_3_3_2
    - rhel9cis_rule_6_3_3_2
  tags:
    - level2-server
    - level2-workstation
@ -30,8 +28,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_3
    - rhel9cis_rule_6_3_3_3
  tags:
    - level2-server
    - level2-workstation
@ -43,8 +40,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_4
    - rhel9cis_rule_6_3_3_4
  tags:
    - level2-server
    - level2-workstation
@ -58,8 +54,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_5
    - rhel9cis_rule_6_3_3_5
  tags:
    - level2-server
    - level2-workstation
@ -73,8 +68,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
-  when:
+  when: rhel9cis_rule_6_3_3_6
    - rhel9cis_rule_6_3_3_6
  tags:
    - level2-server
    - level2-workstation
@ -97,8 +91,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_7
    - rhel9cis_rule_6_3_3_7
  tags:
    - level2-server
    - level2-workstation
@ -111,8 +104,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_8
    - rhel9cis_rule_6_3_3_8
  tags:
    - level2-server
    - level2-workstation
@ -125,8 +117,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_9
    - rhel9cis_rule_6_3_3_9
  tags:
    - level2-server
    - level2-workstation
@ -140,8 +131,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_10
    - rhel9cis_rule_6_3_3_10
  tags:
    - level2-server
    - level2-workstation
@ -154,8 +144,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.11 | PATCH | Ensure session initiation information is collected"
-  when:
+  when: rhel9cis_rule_6_3_3_11
    - rhel9cis_rule_6_3_3_11
  tags:
    - level2-server
    - level2-workstation
@ -168,8 +157,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.12 | PATCH | Ensure login and logout events are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_12
    - rhel9cis_rule_6_3_3_12
  tags:
    - level2-server
    - level2-workstation
@ -182,8 +170,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_13
    - rhel9cis_rule_6_3_3_13
  tags:
    - level2-server
    - level2-workstation
@ -197,8 +184,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
-  when:
+  when: rhel9cis_rule_6_3_3_14
    - rhel9cis_rule_6_3_3_14
  tags:
    - level2-server
    - level2-workstation
@ -212,8 +198,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
-  when:
+  when: rhel9cis_rule_6_3_3_15
    - rhel9cis_rule_6_3_3_15
  tags:
    - level2-server
    - level2- workstation
@ -228,8 +213,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
-  when:
+  when: rhel9cis_rule_6_3_3_16
    - rhel9cis_rule_6_3_3_16
  tags:
    - level2-server
    - level2-workstation
@ -244,8 +228,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
-  when:
+  when: rhel9cis_rule_6_3_3_17
    - rhel9cis_rule_6_3_3_17
  tags:
    - level2-server
    - level2-workstation
@ -260,8 +243,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
-  when:
+  when: rhel9cis_rule_6_3_3_18
    - rhel9cis_rule_6_3_3_18
  tags:
    - level2-server
    - level2-workstation
@ -276,8 +258,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
-  when:
+  when: rhel9cis_rule_6_3_3_19
    - rhel9cis_rule_6_3_3_19
  tags:
    - level2-server
    - level2-workstation
@ -291,8 +272,7 @@
 # All changes selected are managed by the POST audit and handlers to update
 - name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable"
-  when:
+  when: rhel9cis_rule_6_3_3_20
    - rhel9cis_rule_6_3_3_20
  tags:
    - level2-server
    - level2-workstation
@ -306,8 +286,7 @@
    update_audit_template: true
 - name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
-  when:
+  when: rhel9cis_rule_6_3_3_21
    - rhel9cis_rule_6_3_3_21
  tags:
    - level2-server
    - level2-workstation
@ -321,8 +300,7 @@
      - "Please run augenrules --load if you suspect there is a configuration that is not active"
 - name: Auditd | 6.3.3.x | Auditd controls updated
-  when:
+  when: update_audit_template
    - update_audit_template
  ansible.builtin.debug:
    msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
  changed_when: false
--- a/tasks/section_6/cis_6.3.4.x.yml
+++ b/tasks/section_6/cis_6.3.4.x.yml
@ -1,8 +1,7 @@
 ---
 - name: "6.3.4.1 | PATCH | Ensure the audit log file directory mode is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_1
    - rhel9cis_rule_6_3_4_1
  tags:
    - level2-server
    - level2-workstation
@ -39,8 +38,7 @@
    group: root
 - name: "6.3.4.5 | PATCH | Ensure audit configuration files mode is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_5
    - rhel9cis_rule_6_3_4_5
  tags:
    - level2-server
    - level2-workstation
@ -57,8 +55,7 @@
    label: "{{ item.path }}"
 - name: "6.3.4.6 | PATCH | Ensure audit configuration files owner is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_6
    - rhel9cis_rule_6_3_4_6
  tags:
    - level2-server
    - level2-workstation
@ -75,8 +72,7 @@
    label: "{{ item.path }}"
 - name: "6.3.4.7 | PATCH | Ensure audit configuration files group owner is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_7
    - rhel9cis_rule_6_3_4_7
  tags:
    - level2-server
    - level2-workstation
@ -93,8 +89,7 @@
    label: "{{ item.path }}"
 - name: "6.3.4.8 | PATCH | Ensure audit tools mode is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_8
    - rhel9cis_rule_6_3_4_8
  tags:
    - level2-server
    - level2-workstation
@ -114,8 +109,7 @@
    - /sbin/augenrules
 - name: "6.3.4.9 | PATCH | Ensure audit tools owner is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_9
    - rhel9cis_rule_6_3_4_9
  tags:
    - level2-server
    - level2-workstation
@ -135,8 +129,7 @@
    - /sbin/augenrules
 - name: "6.3.4.10 | PATCH | Ensure audit tools group owner is configured"
-  when:
+  when: rhel9cis_rule_6_3_4_10
    - rhel9cis_rule_6_3_4_10
  tags:
    - level2-server
    - level2-workstation
--- a/tasks/section_7/cis_7.1.x.yml
+++ b/tasks/section_7/cis_7.1.x.yml
@ -83,7 +83,7 @@
    path: /etc/shadow
    owner: root
    group: root
-    mode: '0000'
+    mode: 'ugo-rwx'
 - name: "7.1.6 | PATCH | Ensure permissions on /etc/shadow- are configured"
  when:
@ -100,7 +100,7 @@
    path: /etc/shadow-
    owner: root
    group: root
-    mode: '0000'
+    mode: 'ugo-rwx'
 - name: "7.1.7 | PATCH | Ensure permissions on /etc/gshadow are configured"
  when:
@ -117,7 +117,7 @@
    path: /etc/gshadow
    owner: root
    group: root
-    mode: '0000'
+    mode: 'ugo-rwx'
 - name: "7.1.8 | PATCH | Ensure permissions on /etc/gshadow- are configured"
  when:
@ -134,7 +134,7 @@
    path: /etc/gshadow-
    owner: root
    group: root
-    mode: '0000'
+    mode: 'ugo-rwx'
 - name: "7.1.9 | PATCH | Ensure permissions on /etc/shells are configured"
  when:
@ -196,7 +196,7 @@
        - rhel9cis_no_world_write_adjust
      ansible.builtin.file:
        path: '{{ item }}'
-        mode: o-w
+        mode: 'o-w'
        state: touch
      loop: "{{ discovered_world_writable.stdout_lines }}"
@ -221,7 +221,7 @@
    warn_control_id: '7.1.12'
  block:
    - name: "7.1.12 | AUDIT | Ensure no files or directories without an owner and a group exist | Get list files or directories"
-      ansible.builtin.shell: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
+      ansible.builtin.command: find {{ rhel9cis_exclude_unowned_search_path }} {{ item.mount }} -xdev \( -nouser -o -nogroup \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
@ -283,7 +283,7 @@
    warn_control_id: '7.1.13'
  block:
    - name: "7.1.13 | AUDIT | Ensure SUID and SGID files are reviewed | Find SUID and SGID"
-      ansible.builtin.shell: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
+      ansible.builtin.command: find {{ item.mount }} -xdev -type f -perm \( -02000 or -04000 \) -not -fstype nfs
      changed_when: false
      failed_when: false
      check_mode: false
--- a/tasks/section_7/cis_7.2.x.yml
+++ b/tasks/section_7/cis_7.2.x.yml
@ -237,7 +237,7 @@
    - users
    - rule_7.2.8
  block:
-    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"
+    - name: "7.2.8 | PATCH | Ensure local interactive user home directories are configured | Create dir if absent"  # noqa risky-file-permissions
      ansible.builtin.file:
        path: "{{ item.dir }}"
        state: directory
--- a/tasks/warning_facts.yml
+++ b/tasks/warning_facts.yml
@ -1,5 +1,4 @@
 ---
 # This task is used to create variables used in giving a warning summary for manual tasks
 # that need attention
 #
@ -14,7 +13,7 @@
 #
 # warn_count the main variable for the number of warnings and each time a warn_control_id is added
 # the count increases by a value of 1
- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning."
+- name: "{{ warn_control_id }} | AUDIT | Set fact for manual task warning." # noqa name[template]
  ansible.builtin.set_fact:
    warn_control_list: "{{ warn_control_list }} [{{ warn_control_id }}]"
    warn_count: "{{ warn_count | int + 1 }}"
--- a/templates/audit/98_auditd_exception.rules.j2
+++ b/templates/audit/98_auditd_exception.rules.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # This file contains users whose actions are not logged by auditd
--- a/templates/audit/99_auditd.rules.j2
+++ b/templates/audit/99_auditd.rules.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # This template will set all of the auditd configurations via a handler in the role in one task instead of individually
--- a/templates/etc/cron.d/aide.cron.j2
+++ b/templates/etc/cron.d/aide.cron.j2
@ -1,7 +1,7 @@
 # Run AIDE integrity check
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 ### YOUR CHANGES WILL BE LOST!
 # CIS 1.3.2
--- a/templates/etc/dconf/db/00-automount_lock.j2
+++ b/templates/etc/dconf/db/00-automount_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop media-handling automount setting
 /org/gnome/desktop/media-handling/automount
--- a/templates/etc/dconf/db/00-autorun_lock.j2
+++ b/templates/etc/dconf/db/00-autorun_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop media-handling settings
 /org/gnome/desktop/media-handling/autorun-never
--- a/templates/etc/dconf/db/00-media-automount.j2
+++ b/templates/etc/dconf/db/00-media-automount.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/desktop/media-handling]
 automount=false
--- a/templates/etc/dconf/db/00-media-autorun.j2
+++ b/templates/etc/dconf/db/00-media-autorun.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/desktop/media-handling]
 autorun-never=true
--- a/templates/etc/dconf/db/00-screensaver.j2
+++ b/templates/etc/dconf/db/00-screensaver.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Specify the dconf path
 [org/gnome/desktop/session]
--- a/templates/etc/dconf/db/00-screensaver_lock.j2
+++ b/templates/etc/dconf/db/00-screensaver_lock.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 # Lock desktop screensaver idle-delay setting
 /org/gnome/desktop/session/idle-delay
--- a/templates/etc/dconf/db/gdm.d/01-banner-message.j2
+++ b/templates/etc/dconf/db/gdm.d/01-banner-message.j2
@ -1,6 +1,6 @@
 ## Ansible controlled file
 # Added as part of ansible-lockdown CIS baseline
-# provided by MindPointGroup LLC
+# provided by Mindpoint Group - A Tyto Athene Company
 [org/gnome/login-screen]
 banner-message-enable=true
--- a/templates/fs_with_cves.sh
+++ b/templates/fs_with_cves.sh
@ -1,11 +1,8 @@
-{% raw %}
+{% raw %}#! /usr/bin/env bash
 #! /usr/bin/env bash
 # Based on original Script provided by CIS
 # CVEs correct at time of creation - April2024
 #! /usr/bin/env bash
 {
   a_output=(); a_output2=(); a_modprope_config=(); a_excluded=(); a_available_modules=()
   a_ignore=("xfs" "vfat" "ext2" "ext3" "ext4")
--- a/vars/audit.yml
+++ b/vars/audit.yml
@ -35,7 +35,7 @@ audit_format: json
 audit_vars_path: "{{ audit_conf_dir }}/vars/{{ ansible_facts.hostname }}.yml"
 audit_results: |
-      The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results}}
+      The{% if not audit_only %} pre remediation{% endif %} audit results are: {{ pre_audit_results }}
      {% if not audit_only %}The post remediation audit results are: {{ post_audit_results }}{% endif %}
      Full breakdown can be found in {{ audit_log_dir }}