diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml index 9a1a6c2..093e900 100644 --- a/tasks/section_1/cis_1.2.x.yml +++ b/tasks/section_1/cis_1.2.x.yml @@ -9,7 +9,7 @@ register: os_installed_pub_keys - name: "1.2.1 | AUDIT | Ensure GPG keys are configured | Query found keys" - ansible.builtin.shell: "rpm -q --queryformat \"%{PACKAGER} %{VERSION}\\n\" {{ os_gpg_key_pubkey_name }} | grep \"{{ os_gpg_key_pubkey_content }}\"" + ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"' changed_when: false failed_when: false register: os_gpg_key_check @@ -47,15 +47,13 @@ paths: /etc/yum.repos.d patterns: "*.repo" register: yum_repos - changed_when: false - name: "1.2.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos" ansible.builtin.replace: name: "{{ item.path }}" regexp: "^gpgcheck=0" replace: "gpgcheck=1" - with_items: - - "{{ yum_repos.files }}" + loop: "{{ yum_repos.files }}" loop_control: label: "{{ item.path }}" when: @@ -102,20 +100,23 @@ ansible.builtin.lineinfile: path: /etc/dnf/dnf.conf regexp: '^repo_gpgcheck' - line: repo_gpgcheck 1 + line: repo_gpgcheck=1 - name: "1.2.4 | AUDIT| Ensure repo_gpgcheck is globally activated | get repo files" ansible.builtin.find: - path: /etc/yum.repos.d - patterns: '*.repo' - register: repo_files + paths: /etc/yum.repos.d + patterns: "*.repo" + register: repo_files - name: "1.2.4 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files" ansible.builtin.lineinfile: - path: "{{ item }}" + path: "{{ item.path }}" regexp: '^repo_gpgcheck' line: repo_gpgcheck=1 loop: "{{ repo_files.files }}" + loop_control: + label: "{{ item.path }}" + when: - rhel9cis_rule_1_2_4 tags: