From 13a6746997cab89006f5c8007c631653ca60c4ef Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Tue, 5 Apr 2022 10:24:47 +0100 Subject: [PATCH] lint Signed-off-by: Mark Bolwell --- defaults/main.yml | 6 +-- handlers/main.yml | 14 ++--- local.yml | 1 - meta/main.yml | 6 +-- tasks/main.yml | 94 ++++++++++++++++----------------- tasks/post.yml | 2 +- tasks/prelim.yml | 7 ++- tasks/section_1/cis_1.1.4.x.yml | 2 +- tasks/section_1/cis_1.1.6.x.yml | 2 +- tasks/section_1/cis_1.5.x.yml | 2 +- tasks/section_2/cis_2.2.x.yml | 6 +-- tasks/section_2/cis_2.3.x.yml | 2 +- tasks/section_2/cis_2.4.yml | 2 +- tasks/section_2/main.yml | 2 +- tasks/section_3/cis_3.1.x.yml | 6 +-- tasks/section_3/cis_3.2.x.yml | 2 +- tasks/section_3/cis_3.3.x.yml | 18 +++---- tasks/section_4/cis_4.1.3.x.yml | 1 + tasks/section_5/cis_5.1.x.yml | 2 +- tasks/section_5/cis_5.5.x.yml | 24 ++++----- tasks/section_5/cis_5.6.x.yml | 4 +- tasks/section_6/main.yml | 2 +- vars/AlmaLinux.yml | 2 +- vars/is_container.yml | 2 +- 24 files changed, 104 insertions(+), 107 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index 3effee2..a0bf863 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -383,8 +383,6 @@ rhel9cis_rh_sub_password: password rhel9cis_rhnsd_required: false - - # 1.4.2 Bootloader password rhel9cis_bootloader_password_hash: 'grub.pbkdf2.sha512.changethispassword' rhel9cis_bootloader_password: random @@ -454,7 +452,7 @@ rhel9cis_telnet_server: false rhel9cis_is_mail_server: false # Note the options # Packages are used for client services and Server- only remove if you dont use the client service -# +# rhel9cis_use_nfs: - service: false - server: false @@ -484,7 +482,7 @@ rhel9cis_firewall: firewalld ##### firewalld rhel9cis_default_zone: public -rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy +rhel9cis_firewalld_nftables_state: masked # Note if absent removes the firewalld pkg dependancy #### nftables rhel9cis_nftables_firewalld_state: absent diff --git a/handlers/main.yml b/handlers/main.yml index 9a8b657..b0f3e7d 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -33,18 +33,18 @@ - 60-disable_ipv6.conf - 60-netipv4_sysctl.conf - 60-netipv6_sysctl.conf - when: + when: - ansible_virtualization_type != "docker" - "'procps-ng' in ansible_facts.packages" - name: reload sysctl sysctl: - name: net.ipv4.route.flush - value: '1' - state: present - reload: true - ignoreerrors: true - when: + name: net.ipv4.route.flush + value: '1' + state: present + reload: true + ignoreerrors: true + when: - ansible_virtualization_type != "docker" - "'systemd' in ansible_facts.packages" diff --git a/local.yml b/local.yml index 3f17560..18c2f43 100644 --- a/local.yml +++ b/local.yml @@ -6,4 +6,3 @@ roles: - role: "{{ playbook_dir }}" - diff --git a/meta/main.yml b/meta/main.yml index 266a468..aac8be8 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -22,7 +22,7 @@ galaxy_info: - disa - rhel9 collections: - - community.general - - community.crypto - - ansible.posix + - community.general + - community.crypto + - ansible.posix dependencies: [] diff --git a/tasks/main.yml b/tasks/main.yml index f44197c..8bda2a6 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,9 +6,9 @@ that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('8', '==') fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported." success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}" - when: - - os_check - - not system_is_ec2 + when: + - os_check + - not system_is_ec2 tags: - always @@ -29,7 +29,7 @@ - name: Load variable for container include_vars: file: "{{ container_vars_file }}" - + - name: output if discovered is a container debug: msg: system has been discovered as a container @@ -53,128 +53,128 @@ that: rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword' msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set" when: - - rhel9cis_set_boot_pass - - rhel9cis_rule_1_5_2 + - rhel9cis_set_boot_pass + - rhel9cis_rule_1_5_2 - name: "check sugroup exists if used" block: - - name: "Check su group exists if defined" - shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group - args: - warn: false - register: sugroup_exists - changed_when: false - failed_when: sugroup_exists.rc >= 2 - tags: - - skip_ansible_lint + - name: "Check su group exists if defined" + shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group + args: + warn: false + register: sugroup_exists + changed_when: false + failed_when: sugroup_exists.rc >= 2 + tags: + - skip_ansible_lint - - name: Check sugroup if defined exists before continuing - assert: - that: sugroup_exists.rc == 0 - msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" + - name: Check sugroup if defined exists before continuing + assert: + that: sugroup_exists.rc == 0 + msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify" when: - - rhel9cis_sugroup is defined - - rhel9cis_rule_5_7 + - rhel9cis_sugroup is defined + - rhel9cis_rule_5_7 tags: - - rule_5.7 + - rule_5.7 - name: Gather the package facts package_facts: manager: auto tags: - - always + - always - name: Include OS specific variables include_vars: "{{ ansible_distribution }}.yml" tags: - - always + - always - name: Include preliminary steps import_tasks: prelim.yml tags: - - prelim_tasks - - always + - prelim_tasks + - always - name: run pre_remediation audit include_tasks: pre_remediation_audit.yml when: - - run_audit + - run_audit - name: Gather the package facts after prelim package_facts: manager: auto tags: - - always + - always - name: capture /etc/password variables include_tasks: parse_etc_password.yml - when: - - rhel9cis_section6 + when: + - rhel9cis_section6 tags: - - rule_5.5.2 - - rule_5.6.2 - - rule_6.2.9 - - rule_6.2.10 - - rule_6.2.11 - - rhel9cis_section5 - - rhel9cis_section6 + - rule_5.5.2 + - rule_5.6.2 + - rule_6.2.9 + - rule_6.2.10 + - rule_6.2.11 + - rhel9cis_section5 + - rhel9cis_section6 - name: run Section 1 tasks import_tasks: section_1/main.yml become: true when: rhel9cis_section1 tags: - - rhel9cis_section1 + - rhel9cis_section1 - name: run Section 2 tasks import_tasks: section_2/main.yml become: true when: rhel9cis_section2 tags: - - rhel9cis_section2 + - rhel9cis_section2 - name: run Section 3 tasks import_tasks: section_3/main.yml become: true when: rhel9cis_section3 tags: - - rhel9cis_section3 + - rhel9cis_section3 - name: run Section 4 tasks import_tasks: section_4/main.yml become: true when: rhel9cis_section4 tags: - - rhel9cis_section4 + - rhel9cis_section4 - name: run Section 5 tasks import_tasks: section_5/main.yml become: true when: rhel9cis_section5 tags: - - rhel9cis_section5 + - rhel9cis_section5 - name: run Section 6 tasks import_tasks: section_6/main.yml become: true when: rhel9cis_section6 tags: - - rhel9cis_section6 + - rhel9cis_section6 - name: run post remediation tasks import_tasks: post.yml become: true tags: - - post_tasks - - always + - post_tasks + - always - name: run post_remediation audit import_tasks: post_remediation_audit.yml when: - - run_audit + - run_audit - name: Show Audit Summary debug: msg: "{{ audit_results.split('\n') }}" when: - - run_audit + - run_audit diff --git a/tasks/post.yml b/tasks/post.yml index a8e1d00..69783ab 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -10,7 +10,7 @@ package_facts: manager: auto tags: - - always + - always - name: trigger update sysctl shell: /bin/true diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 47d1434..eb02040 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -87,7 +87,7 @@ name: audit state: present become: true - when: + when: - '"auditd" not in ansible_facts.packages' - rhel9cis_rule_4_1_1_1 tags: @@ -209,7 +209,7 @@ shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}' changed_when: false register: uid_min_id - + - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def" shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}' changed_when: false @@ -226,8 +226,7 @@ max_int_uid: "{{ uid_max_id.stdout }}" min_int_gid: "{{ gid_min_id.stdout }}" - debug: - msg: "{{ min_int_uid }} {{ max_int_uid }}" + msg: "{{ min_int_uid }} {{ max_int_uid }}" when: - not discover_int_uid - diff --git a/tasks/section_1/cis_1.1.4.x.yml b/tasks/section_1/cis_1.1.4.x.yml index 7ea3627..5a901c2 100644 --- a/tasks/section_1/cis_1.1.4.x.yml +++ b/tasks/section_1/cis_1.1.4.x.yml @@ -61,4 +61,4 @@ - skip_ansible_lint - rule_1.1.4.2 - rule_1.1.4.3 - - rule_1.1.4.4 \ No newline at end of file + - rule_1.1.4.4 diff --git a/tasks/section_1/cis_1.1.6.x.yml b/tasks/section_1/cis_1.1.6.x.yml index 94e85d2..1df3e84 100644 --- a/tasks/section_1/cis_1.1.6.x.yml +++ b/tasks/section_1/cis_1.1.6.x.yml @@ -58,4 +58,4 @@ - skip_ansible_lint - rule_1.1.6.2 - rule_1.1.6.3 - - rule_1.1.6.4 \ No newline at end of file + - rule_1.1.6.4 diff --git a/tasks/section_1/cis_1.5.x.yml b/tasks/section_1/cis_1.5.x.yml index f9f4c31..6573e51 100644 --- a/tasks/section_1/cis_1.5.x.yml +++ b/tasks/section_1/cis_1.5.x.yml @@ -34,7 +34,7 @@ - name: "1.5.3 | PATCH | Ensure address space layout randomization (ASLR) is enabled" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-kernel_sysctl.conf" - notify: + notify: - update sysctl when: - rhel9cis_rule_1_5_3 diff --git a/tasks/section_2/cis_2.2.x.yml b/tasks/section_2/cis_2.2.x.yml index 7ba7bb4..577ea45 100644 --- a/tasks/section_2/cis_2.2.x.yml +++ b/tasks/section_2/cis_2.2.x.yml @@ -65,7 +65,7 @@ - name: "2.2.5 | PATCH | Ensure DHCP Server is not installed" package: name: dhcp-server - state: absent + state: absent when: - not rhel9cis_dhcp_server - "'dhcp-server' in ansible_facts.packages" @@ -113,7 +113,7 @@ - name: "2.2.8 | PATCH | Ensure VSFTP Server is not installed" package: name: vsftpd - state: absent + state: absent when: - not rhel9cis_vsftpd_server - "'vsftpd' in ansible_facts.packages" @@ -222,7 +222,7 @@ - name: "2.2.13 | PATCH | Ensure HTTP Proxy Server is not installed" package: name: squid - state: absent + state: absent when: - not rhel9cis_squid_server - "'squid' in ansible_facts.packages" diff --git a/tasks/section_2/cis_2.3.x.yml b/tasks/section_2/cis_2.3.x.yml index 52159bc..a1941da 100644 --- a/tasks/section_2/cis_2.3.x.yml +++ b/tasks/section_2/cis_2.3.x.yml @@ -32,7 +32,7 @@ - rsh - rule_2.3.2 -- name: "2.3.3 | PATCH | Ensure talk client is not installed" +- name: "2.3.3 | PATCH | Ensure talk client is not installed" package: name: talk state: absent diff --git a/tasks/section_2/cis_2.4.yml b/tasks/section_2/cis_2.4.yml index a80d340..5db134e 100644 --- a/tasks/section_2/cis_2.4.yml +++ b/tasks/section_2/cis_2.4.yml @@ -23,4 +23,4 @@ - manual - audit - services - - rule_2.4 \ No newline at end of file + - rule_2.4 diff --git a/tasks/section_2/main.yml b/tasks/section_2/main.yml index 731f10c..8f79854 100644 --- a/tasks/section_2/main.yml +++ b/tasks/section_2/main.yml @@ -10,4 +10,4 @@ import_tasks: cis_2.3.x.yml - name: "SECTION | 2.4 | Nonessential services removed" - import_tasks: cis_2.4.yml \ No newline at end of file + import_tasks: cis_2.4.yml diff --git a/tasks/section_3/cis_3.1.x.yml b/tasks/section_3/cis_3.1.x.yml index 5033e5a..db3c0fd 100644 --- a/tasks/section_3/cis_3.1.x.yml +++ b/tasks/section_3/cis_3.1.x.yml @@ -1,11 +1,11 @@ --- -# The CIS Control wants IPv6 disabled if not in use. +# The CIS Control wants IPv6 disabled if not in use. # We are using the rhel9cis_ipv6_required to specify if you have IPv6 in use - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-disable_ipv6.conf" - notify: + notify: - update sysctl - sysctl flush ipv6 route table when: @@ -88,4 +88,4 @@ - automated - patch - wireless - - rule_3.1.4 \ No newline at end of file + - rule_3.1.4 diff --git a/tasks/section_3/cis_3.2.x.yml b/tasks/section_3/cis_3.2.x.yml index b7f0f6b..46295ec 100644 --- a/tasks/section_3/cis_3.2.x.yml +++ b/tasks/section_3/cis_3.2.x.yml @@ -5,7 +5,7 @@ - name: "3.2.1 | PATCH | Ensure IP forwarding is disabled | Disable IPv4 forwarding" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table diff --git a/tasks/section_3/cis_3.3.x.yml b/tasks/section_3/cis_3.3.x.yml index e6d4952..139ca65 100644 --- a/tasks/section_3/cis_3.3.x.yml +++ b/tasks/section_3/cis_3.3.x.yml @@ -5,7 +5,7 @@ - name: "3.3.1 | PATCH | Ensure source routed packets are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table @@ -30,7 +30,7 @@ - name: "3.3.2 | PATCH | Ensure ICMP redirects are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table @@ -52,7 +52,7 @@ - name: "3.3.3 | PATCH | Ensure secure ICMP redirects are not accepted" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_3 @@ -65,7 +65,7 @@ - name: "3.3.4 | PATCH | Ensure suspicious packets are logged" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_4 @@ -78,7 +78,7 @@ - name: "3.3.5 | PATCH | Ensure broadcast ICMP requests are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_5 @@ -91,7 +91,7 @@ - name: "3.3.6 | PATCH | Ensure bogus ICMP responses are ignored" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_6 @@ -104,7 +104,7 @@ - name: "3.3.7 | PATCH | Ensure Reverse Path Filtering is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_7 @@ -117,7 +117,7 @@ - name: "3.3.8 | PATCH | Ensure TCP SYN Cookies is enabled" debug: - msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" + msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" notify: update sysctl when: - rhel9cis_rule_3_3_8 @@ -133,7 +133,7 @@ - name: "3.3.9 | PATCH | Ensure IPv6 router advertisements are not accepted" debug: msg: "Control being set via Handler 'update sysctl' which writes to /etc/sysctl.d/60-netipv4_sysctl.conf" - notify: + notify: - update sysctl - sysctl flush ipv4 route table diff --git a/tasks/section_4/cis_4.1.3.x.yml b/tasks/section_4/cis_4.1.3.x.yml index dee0f21..0c39267 100644 --- a/tasks/section_4/cis_4.1.3.x.yml +++ b/tasks/section_4/cis_4.1.3.x.yml @@ -1,3 +1,4 @@ +--- - name: "4.1.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected" debug: diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index 9e8657e..734b434 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -168,4 +168,4 @@ - automated - patch - cron - - rule_5.1.9 \ No newline at end of file + - rule_5.1.9 diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml index bed1b28..10b18a7 100644 --- a/tasks/section_5/cis_5.5.x.yml +++ b/tasks/section_5/cis_5.5.x.yml @@ -54,7 +54,7 @@ with_items: - "system-auth" - "password-auth" - when: + when: - ansible_distribution_version <= "8.1" - rhel9cis_rule_5_5_2 @@ -67,7 +67,7 @@ with_items: - { regexp: '^\s*deny\s*=\s*[1-5]\b', line: 'deny = 5' } - { regexp: '^\s*unlock_time\s*=\s*(0|9[0-9][0-9]|[1-9][0-9][0-9][0-9]+)\b', line: 'unlock_time = 900' } - when: + when: - ansible_distribution_version >= "8.2" - rhel9cis_rule_5_5_2 @@ -79,9 +79,9 @@ state: present line: "password requisite pam_pwhistory.so try_first_pass local_users_only enforce_for_root retry=3 remember={{ rhel9cis_pam_faillock.remember }}" insertafter: '^password\s*requisite\s*pam_pwquality.so' - + - name: "5.5.3 | PATCH | Ensure password reuse is limited | pam_unix" - replace: + replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' @@ -97,15 +97,15 @@ block: - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | libuser.conf" replace: - path: /etc/libuser.conf - regexp: '^crypt_style\s*=\s*.*$' - replace: 'crypt_style = sha512' - + path: /etc/libuser.conf + regexp: '^crypt_style\s*=\s*.*$' + replace: 'crypt_style = sha512' + - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | login.defs" replace: - path: /etc/login.defs - regexp: '^ENCRYPT_METHOD.*' - replace: 'ENCRYPT_METHOD SHA512' + path: /etc/login.defs + regexp: '^ENCRYPT_METHOD.*' + replace: 'ENCRYPT_METHOD SHA512' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | password-auth" replace: @@ -114,7 +114,7 @@ replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' - name: "5.5.4 | PATCH | Ensure password hashing algorithm is SHA-512 | system-auth" - replace: + replace: path: /etc/pam.d/system-auth regexp: '^password\s*sufficient\s*pam_unix.so.*$' replace: 'password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember={{ rhel9cis_pam_faillock.remember }}' diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml index 8d96b4b..420ce12 100644 --- a/tasks/section_5/cis_5.6.x.yml +++ b/tasks/section_5/cis_5.6.x.yml @@ -73,8 +73,8 @@ - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0" user: - name: root - group: 0 + name: root + group: 0 when: - rhel9cis_rule_5_6_4 tags: diff --git a/tasks/section_6/main.yml b/tasks/section_6/main.yml index 6161273..b6acabf 100644 --- a/tasks/section_6/main.yml +++ b/tasks/section_6/main.yml @@ -4,4 +4,4 @@ import_tasks: cis_6.1.x.yml - name: "SECTION | 6.2 | User and Group Settings" - import_tasks: cis_6.2.x.yml \ No newline at end of file + import_tasks: cis_6.2.x.yml diff --git a/vars/AlmaLinux.yml b/vars/AlmaLinux.yml index 8f9f4b7..69e5994 100644 --- a/vars/AlmaLinux.yml +++ b/vars/AlmaLinux.yml @@ -1,4 +1,4 @@ --- # OS Specific Settings -rpm_gpg_key: RPM-GPG-KEY-AlmaLinux \ No newline at end of file +rpm_gpg_key: RPM-GPG-KEY-AlmaLinux diff --git a/vars/is_container.yml b/vars/is_container.yml index 1a39591..32504ee 100644 --- a/vars/is_container.yml +++ b/vars/is_container.yml @@ -54,7 +54,7 @@ rhel9cis_rule_1_1_2: false rhel9cis_rule_1_1_3: false rhel9cis_rule_1_1_4: false rhel9cis_rule_1_1_5: false -#/var +# /var rhel9cis_rule_1_1_6: false # /var/tmp rhel9cis_rule_1_1_7: false