Improvements (#5)

* container standards

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logic on handlers

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* initial container ignore

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tags and containder discovery

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logic on auditd task

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tags and crypto logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* distro update for rocky

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* system_is_container updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* ssh pkg check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logrotate pkg check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* logic in container check

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* add pkg fact and audit conditionals

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* tidy up crypto step

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added missing tags

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* container vars file now a variable

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added uid discovery and usage

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Updated OS checks and conditionals

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed empty become

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* change audit to include task

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added OS_specific vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated import/include

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* OS Specific vars

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated tags

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated changed_when

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* fixed UID logic

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* added github templates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* updated layout

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

* Added .github ignore again

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,34 @@
+---
+name: Report Issue
+about: Create a bug issue ticket to help us improve
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**Describe the Issue**
+A clear and concise description of what the bug is.
+
+**Expected Behavior**
+A clear and concise description of what you expected to happen.
+
+**Actual Behavior**
+A clear and concise description of what's happening.
+
+**Control(s) Affected**
+What controls are being affected by the issue
+
+**Environment (please complete the following information):**
+
+- branch being used: [e.g. devel]
+- Ansible Version: [e.g. 2.10]
+- Host Python Version: [e.g. Python 3.7.6]
+- Ansible Server Python Version: [e.g. Python 3.7.6]
+- Additional Details:
+
+**Additional Notes**
+Anything additional goes here
+
+**Possible Solution**
+Enter a suggested fix here

.github/ISSUE_TEMPLATE/feature-request-or-enhancement.md

@@ -0,0 +1,22 @@
+---
+name: Feature Request or Enhancement
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+## Feature Request or Enhancement
+
+- Feature []
+- Enhancement []
+
+**Summary of Request**
+A clear and concise description of what you want to happen.
+
+**Describe alternatives you've considered**
+A clear and concise description of any alternative solutions or features you've considered.
+
+**Suggested Code**
+Please provide any code you have in mind to fulfill the request

.github/ISSUE_TEMPLATE/question.md

@@ -0,0 +1,18 @@
+---
+name: Question
+about: Ask away.......
+title: ''
+labels: question
+assignees: ''
+
+---
+
+**Question**
+Pose question here.
+
+**Environment (please complete the following information):**
+
+- Ansible Version: [e.g. 2.10]
+- Host Python Version: [e.g. Python 3.7.6]
+- Ansible Server Python Version: [e.g. Python 3.7.6]
+- Additional Details:

.github/pull_request_template.md

@@ -0,0 +1,12 @@
+**Overall Review of Changes:**
+A general description of the changes made that are being requested for merge
+
+**Issue Fixes:**
+Please list (using linking) any open issues this PR addresses
+
+**Enhancements:**
+Please list any enhancements/features that are not open issue tickets
+
+**How has this been tested?:**
+Please give an overview of how these changes were tested. If they were not please use N/A
+

.github/workflows/communitytodevel.yml

@@ -0,0 +1,39 @@
+---
+# This is a basic workflow to help you get started with Actions
+
+name: CommunityToDevel
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+    pull_request:
+        branches: [ devel ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+jobs:
+    # This workflow contains a single job called "build"
+    build:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
+
+        # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+            - uses: actions/checkout@v2
+
+            # Refactr pipeline for devel pull request/merge
+            - name: Refactr - Run Pipeline (to devel)
+              # You may pin to the exact commit or the version.
+              # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+              uses: refactr/action-run-pipeline@v0.1.2
+              with:
+                  # API token
+                  api_token: '${{ secrets.REFACTR_KEY }}'
+                  # Project ID
+                  project_id: 5f47f0c4a13c7b18373e5556
+                  # Job ID
+                  job_id: 5f933cbcf9c74e86b1609c00
+                  # Variables
+                  variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "githubBranch": "${{ github.head_ref }}", "username": "centos" }'
+                  # Refactr API base URL
+                  api_url:  # optional

.github/workflows/develtomain.yml

@@ -0,0 +1,40 @@
+---
+# This is a basic workflow to help you get started with Actions
+
+name: DevelToMain
+
+# Controls when the action will run. Triggers the workflow on push or pull request
+# events but only for the devel branch
+on:
+    pull_request:
+        branches: [ main ]
+
+# A workflow run is made up of one or more jobs that can run sequentially or in parallel
+
+jobs:
+    # This workflow contains a single job called "build"
+    build:
+        # The type of runner that the job will run on
+        runs-on: ubuntu-latest
+
+        # Steps represent a sequence of tasks that will be executed as part of the job
+        steps:
+            # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
+            - uses: actions/checkout@v2
+
+            # Refactr pipeline for devel pull request/merge
+            - name: Refactr - Run Pipeline (to main)
+              # You may pin to the exact commit or the version.
+              # uses: refactr/action-run-pipeline@be91e2796aa225268e4685c0e01a26d5f800cd53
+              uses: refactr/action-run-pipeline@v0.1.2
+              with:
+                  # API token
+                  api_token: '${{ secrets.REFACTR_KEY }}'
+                  # Project ID
+                  project_id: 5f47f0c4a13c7b18373e5556
+                  # Job ID
+                  job_id: 5f90ad90f9c74e6d1e606e33
+                  # Variables
+                  variables: '{ "gitrepo": "https://github.com/ansible-lockdown/RHEL9-CIS.git", "image": "ami-04483b15b4268d18d", "username": "centos" }'
+                  # Refactr API base URL
+                  api_url:  # optional

tasks/section_6/cis_6.2.x.yml

@@ -137,6 +137,9 @@
         with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', min_int_uid | int) | selectattr('uid', '<', max_int_uid | int) | selectattr('dir', '!=', '/') | map(attribute='dir') | list }}"
         register: rhel_09_6_2_7_audit
 
+      - debug:
+          var: rhel_09_6_2_7_audit
+
       - name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
         shell: find -H {{ item.0 | quote }} -not -type l -perm /027
         args: