From 1e22c1379400ab4d3da111c4929fdc0b48747b0c Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 16 Sep 2022 11:04:19 +0100
Subject: [PATCH] linting

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 handlers/main.yml                |  8 ++++----
 tasks/LE_audit_setup.yml         |  2 +-
 tasks/auditd.yml                 | 14 ++++++++------
 tasks/main.yml                   | 28 ++++++++++++++--------------
 tasks/post.yml                   |  2 +-
 tasks/post_remediation_audit.yml |  4 ++--
 tasks/pre_remediation_audit.yml  |  7 +++++--
 tasks/prelim.yml                 |  4 +++-
 8 files changed, 38 insertions(+), 31 deletions(-)

diff --git a/handlers/main.yml b/handlers/main.yml
index 9264a42..533660d 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -15,7 +15,7 @@
       value: '1'
       sysctl_set: true
   ignore_errors: true
-  when: 
+  when:
       - flush_ipv4_route
       - not system_is_container
   tags:
@@ -27,7 +27,7 @@
       name: net.ipv6.route.flush
       value: '1'
       sysctl_set: true
-  when: 
+  when:
       - flush_ipv6_route
       - not system_is_container
 
@@ -78,7 +78,7 @@
   shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
   args:
       warn: false
-  ignore_errors: True
+  ignore_errors: true
   tags:
       - skip_ansible_lint
 
@@ -130,4 +130,4 @@
 
 - name: change_requires_reboot
   set_fact:
-      change_requires_reboot: true
\ No newline at end of file
+      change_requires_reboot: true
diff --git a/tasks/LE_audit_setup.yml b/tasks/LE_audit_setup.yml
index e4cac49..98f3855 100644
--- a/tasks/LE_audit_setup.yml
+++ b/tasks/LE_audit_setup.yml
@@ -22,7 +22,7 @@
       - get_goss_file == 'copy'
 
 - name: install git if not present
-  package: 
+  package:
       name: git
       state: present
   register: git_installed
diff --git a/tasks/auditd.yml b/tasks/auditd.yml
index 9c5a14e..74830ca 100644
--- a/tasks/auditd.yml
+++ b/tasks/auditd.yml
@@ -1,3 +1,5 @@
+---
+
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
   template:
       src: audit/99_auditd.rules.j2
@@ -6,18 +8,18 @@
       group: root
       mode: 0600
   register: audit_rules_updated
-  notify: 
+  notify:
       - auditd_immutable_check
       - audit_immutable_fact
       - restart auditd
 
 - name: POST | Set up auditd user logging exceptions
   template:
-    src: audit/98_auditd_exception.rules.j2
-    dest: /etc/audit/rules.d/98_auditd_exceptions.rules
-    owner: root
-    group: root
-    mode: 0600
+      src: audit/98_auditd_exception.rules.j2
+      dest: /etc/audit/rules.d/98_auditd_exceptions.rules
+      owner: root
+      group: root
+      mode: 0600
   notify: restart auditd
   when:
       - allow_auditd_uid_user_exclusions
diff --git a/tasks/main.yml b/tasks/main.yml
index ecddbaa..0d272b1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -22,20 +22,20 @@
 
 - name: "Check password set for {{ ansible_user }}"
   block:
-       - name: Capture current password state of "{{ ansible_user }}"
-         shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
-         changed_when: false
-         failed_when: false
-         check_mode: false
-         register: ansible_user_password_set
+      - name: Capture current password state of "{{ ansible_user }}"
+        shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
+        changed_when: false
+        failed_when: false
+        check_mode: false
+        register: ansible_user_password_set
 
-       - name: "Assert that password set for {{ ansible_user }} and account not locked"
-         assert:
-             that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
-             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
-             success_msg: "You a password set for the {{ ansible_user }}"
-         vars:
-              sudo_password_rule: rhel9cis_rule_5_3_4
+      - name: "Assert that password set for {{ ansible_user }} and account not locked"
+        assert:
+            that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
+            fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
+            success_msg: "You a password set for the {{ ansible_user }}"
+        vars:
+            sudo_password_rule: rhel9cis_rule_5_3_4
   when:
       - rhel9cis_rule_5_3_4
       - not system_is_ec2
@@ -205,7 +205,7 @@
 
 - name: If Warnings found Output count and control IDs affected
   debug:
-    msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
+      msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ control_number }}"
   when: warn_count != 0
   tags:
       - always
diff --git a/tasks/post.yml b/tasks/post.yml
index 3a8a0ed..3b5c3f2 100644
--- a/tasks/post.yml
+++ b/tasks/post.yml
@@ -53,7 +53,7 @@
       - name: "POST | Warning a reboot required but skip option set | warning count"
         set_fact:
             control_number: "{{ control_number }} + [ 'Reboot_required' ]"
-            warn_count: "{{ warn_count|int + 1 }}"
+            warn_count: "{{ warn_count | int + 1 }}"
         when:
             - change_requires_reboot
             - skip_reboot
diff --git a/tasks/post_remediation_audit.yml b/tasks/post_remediation_audit.yml
index 0ab61b2..4429b7e 100644
--- a/tasks/post_remediation_audit.yml
+++ b/tasks/post_remediation_audit.yml
@@ -2,7 +2,7 @@
 
 - name: "Post Audit | Run post_remediation {{ benchmark }} audit"
   shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
-  environment: "{{ audit_run_script_environment|default({}) }}"
+  environment: "{{ audit_run_script_environment | default({}) }}"
   changed_when: audit_run_post_remediation.rc == 0
   register: audit_run_post_remediation
   args:
@@ -28,7 +28,7 @@
 
       - name: Capture post-audit result
         set_fact:
-            post_audit_summary: "{{ post_audit.stdout | from_json |json_query(summary) }}"
+            post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
         vars:
             summary: 'summary."summary-line"'
   when:
diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
index bb9344a..93c4985 100644
--- a/tasks/pre_remediation_audit.yml
+++ b/tasks/pre_remediation_audit.yml
@@ -33,6 +33,9 @@
   get_url:
       url: "{{ audit_files_url }}"
       dest: "{{ audit_conf_dir }}"
+      owner: root
+      group: root
+      mode: 0755
   when:
   - audit_content == 'get_url'
 
@@ -70,7 +73,7 @@
 
 - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
   shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
-  environment: "{{ audit_run_script_environment|default({}) }}"
+  environment: "{{ audit_run_script_environment | default({}) }}"
   changed_when: audit_run_pre_remediation.rc == 0
   register: audit_run_pre_remediation
   args:
@@ -87,7 +90,7 @@
 
   - name: Pre Audit | Capture pre-audit result
     set_fact:
-        pre_audit_summary: "{{ pre_audit.stdout | from_json |json_query(summary) }}"
+        pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
     vars:
         summary: 'summary."summary-line"'
   when:
diff --git a/tasks/prelim.yml b/tasks/prelim.yml
index 2646e98..55546d1 100644
--- a/tasks/prelim.yml
+++ b/tasks/prelim.yml
@@ -217,7 +217,9 @@
             min_int_uid: "{{ uid_min_id.stdout }}"
             max_int_uid: "{{ uid_max_id.stdout }}"
             min_int_gid: "{{ gid_min_id.stdout }}"
-- debug:
+
+- name: Output of uid findings
+  debug:
       msg: "{{ min_int_uid }} {{ max_int_uid }}"
 
   when: