lint and best practise

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

handlers/main.yml

@@ -145,7 +145,8 @@
   listen: "Remount /var/log/audit"
 
 - name: Reload sysctl
-  ansible.builtin.shell: sysctl --system
+  ansible.builtin.command: sysctl --system
+  changed_when: true
 
 - name: Sysctl flush ipv4 route table
   when:
@@ -181,8 +182,8 @@
 
 - name: Set Crypto Policy
   when: prelim_system_wide_crypto_policy.stdout != rhel9cis_full_crypto_policy
-  ansible.builtin.shell: |
+  ansible.builtin.command: update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
-    update-crypto-policies --set "{{ rhel9cis_full_crypto_policy }}"
+  changed_when: true
   notify:
     - Change_requires_reboot
     - Restart sshd
@@ -203,10 +204,12 @@
     state: restarted
 
 - name: Reload dconf
-  ansible.builtin.shell: dconf update
+  ansible.builtin.command: dconf update
+  changed_when: true
 
 - name: Grub2cfg
-  ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
+  ansible.builtin.command: "grub2-mkconfig -o /boot/grub2/grub.cfg"
+  changed_when: true
   ignore_errors: true  # noqa ignore-errors
 
 - name: Restart rsyslog
@@ -229,12 +232,13 @@
     daemon-reload: true
 
 - name: Authselect update
-  ansible.builtin.shell: authselect apply-changes
+  ansible.builtin.command: authselect apply-changes
+  changed_when: true
 
 ## Auditd tasks note order for handlers to run
 
 - name: Auditd immutable check
-  ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
+  ansible.builtin.command: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
   changed_when: false
   register: discovered_auditd_immutable_check
 
@@ -246,7 +250,8 @@
   notify: Change_requires_reboot
 
 - name: Stop auditd process
-  ansible.builtin.shell: systemctl kill auditd
+  ansible.builtin.command: systemctl kill auditd
+  changed_when: true
   listen: Restart auditd
 
 - name: Start auditd process

tasks/main.yml

@@ -81,14 +81,14 @@
   vars:
     sudo_password_rule: rhel9cis_rule_5_2_4  # pragma: allowlist secret
   block:
-    - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"
+    - name: "Check password set for {{ ansible_env.SUDO_USER }} | password state"  # noqa name[template]
       ansible.builtin.shell: "(grep {{ ansible_env.SUDO_USER }} /etc/shadow || echo 'not found:not found') | awk -F: '{print $2}'"
       changed_when: false
       failed_when: false
       check_mode: false
       register: prelim_ansible_user_password_set
 
-    - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"
+    - name: "Check for local account {{ ansible_env.SUDO_USER }} | Check for local account"  # noqa name[template]
       when: prelim_ansible_user_password_set.stdout == "not found"
       ansible.builtin.debug:
         msg: "No local account found for {{ ansible_env.SUDO_USER }} user. Skipping local account checks."
@@ -97,7 +97,7 @@
       when:
         - prelim_ansible_user_password_set.stdout != "not found"
       block:
-        - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"
+        - name: "Check password set for {{ ansible_env.SUDO_USER }} | Assert local password set"  # noqa name[template]
           ansible.builtin.assert:
             that:
               - prelim_ansible_user_password_set.stdout | length != 0
@@ -105,7 +105,7 @@
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_env.SUDO_USER }} has no password set - It can break access"
             success_msg: "You have a password set for the {{ ansible_env.SUDO_USER }} user"
 
-        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"
+        - name: "Check account is not locked for {{ ansible_env.SUDO_USER }} | Assert local account not locked"  # noqa name[template]
           ansible.builtin.assert:
             that:
               - not prelim_ansible_user_password_set.stdout.startswith("!")

tasks/parse_etc_password.yml

@@ -5,7 +5,7 @@
     - always
   block:
     - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
-      ansible.builtin.shell: cat /etc/passwd
+      ansible.builtin.command: cat /etc/passwd
       changed_when: false
       check_mode: false
       register: rhel9cis_passwd_file_audit

tasks/post.yml

@@ -29,28 +29,23 @@
   ansible.builtin.meta: flush_handlers
 
 - name: POST | reboot system if changes require it and not skipped
+  when: change_requires_reboot
   tags:
     - always
+  vars:
+    warn_control_id: Reboot_required
   block:
     - name: POST | Reboot system if changes require it and not skipped
+      when: not skip_reboot
       ansible.builtin.reboot:
-      when:
-        - change_requires_reboot
-        - not skip_reboot
 
     - name: POST | Warning a reboot required but skip option set
+      when: skip_reboot
       ansible.builtin.debug:
         msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
       changed_when: true
-      when:
-        - change_requires_reboot
-        - skip_reboot
 
     - name: "POST | Warning a reboot required but skip option set | warning count"
+      when: skip_reboot
       ansible.builtin.import_tasks:
         file: warning_facts.yml
-      when:
-        - change_requires_reboot
-        - skip_reboot
-  vars:
-    warn_control_id: Reboot_required

tasks/prelim.yml

@@ -103,14 +103,14 @@
     - ansible_facts.distribution == 'RedHat'
   block:
     - name: "PRELIM | AUDIT | Import gpg keys | get data"
-      ansible.builtin.shell: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'
+      ansible.builtin.command: rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n'  # noqa command-instead-of-module
       changed_when: false
       failed_when: false
       register: prelim_check_gpg_imported
 
     - name: "PRELIM | AUDIT | Import gpg keys | Check Package"
       when: "'not installed' in prelim_check_gpg_imported.stdout"
-      ansible.builtin.shell: rpm -qi redhat-release | grep Signature
+      ansible.builtin.shell: rpm -qi redhat-release | grep Signature  # noqa command-instead-of-module
       changed_when: false
       failed_when: false
       register: prelim_os_gpg_package_valid
@@ -119,7 +119,9 @@
       when:
         - "'not installed' in prelim_check_gpg_imported.stdout"
         - "'Key ID 199e2f91fd431d51' in prelim_os_gpg_package_valid.stdout"
-      ansible.builtin.shell: rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+      ansible.builtin.rpm_key:
+        key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
+        state: present
 
 - name: "PRELIM | AUDIT | Check systemd coredump"
   when:
@@ -150,7 +152,7 @@
         state: present
 
     - name: "PRELIM | AUDIT | Gather system-wide crypto-policy"
-      ansible.builtin.shell: 'update-crypto-policies --show'
+      ansible.builtin.command: 'update-crypto-policies --show'
       changed_when: false
       check_mode: false
       register: prelim_system_wide_crypto_policy
@@ -269,6 +271,7 @@
   ansible.builtin.file:
     path: /etc/systemd/journald.conf.d
     state: directory
+    mode: 'u+x,g-w,o-rwx'
 
 - name: "PRELIM | PATCH | Configure System Accounting (auditd)"
   when:

templates/etc/security/pwquality.conf.d/50-pwcomplexity.conf.j2

@@ -1,9 +1,9 @@
 # CIS Configurations
 # 5.3.3.2.3 Ensure password complexity is configured
-{% if rhel9cis_passwd_complex_option == 'minclass' %}
+{% if rhel9cis_passwd_complex_option == 'minclass' %}  # pragma: allowlist secret
 minclass = {{ rhel9cis_passwd_minclass }}
 {% endif %}
-{% if rhel9cis_passwd_complex_option == 'credits' %}
+{% if rhel9cis_passwd_complex_option == 'credits' %}  # pragma: allowlist secret
 dcredit = {{rhel9cis_passwd_dcredit }}
 ucredit = {{ rhel9cis_passwd_ucredit }}
 ocredit = {{ rhel9cis_passwd_ocredit }}