sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

replaced command with shell

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-13 11:27:26 +00:00
parent ac42f8a28f
commit 3b19db6812
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
19 changed files with 75 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

8
handlers/main.yml
View file

@ -58,7 +58,7 @@
state: reloaded
- name: remount tmp
command: mount -o remount /tmp
shell: mount -o remount /tmp
args:
warn: false
@ -88,7 +88,7 @@
- name: reload dconf
become: yes
command: dconf update
shell: dconf update
- name: update auditd
template:
@ -100,7 +100,7 @@
notify: restart auditd
- name: restart auditd
command: /sbin/service auditd restart
shell: /sbin/service auditd restart
changed_when: no
check_mode: no
failed_when: no
@ -112,7 +112,7 @@
- skip_ansible_lint
- name: grub2cfg
command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
ignore_errors: True
tags:
- skip_ansible_lint

4
tasks/check_prereqs.yml
View file

@ -3,7 +3,7 @@
- name: "PREREQ | Add the required packages | Python 3"
block:
- name: Check if python36-rpm package installed
command: rpm -q python36-rpm
shell: rpm -q python36-rpm
failed_when: ( python36_rpm_present.rc not in [ 0, 1 ] )
changed_when: false
args:
@ -28,7 +28,7 @@
- libselinux-python3
- name: Disable Epel repo if installed earlier
command: yum-config-manager disable epel
shell: yum-config-manager disable epel
when: epel_installed.changed
when:
- ( ansible_python.version.major == 3 and ansible_python.version.minor == 6 )

2
tasks/parse_etc_password.yml
View file

@ -3,7 +3,7 @@
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
block:
- name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
command: cat /etc/passwd
shell: cat /etc/passwd
changed_when: no
check_mode: no
register: rhel9cis_passwd_file_audit

4
tasks/post.yml
View file

@ -7,7 +7,7 @@
changed_when: no
- name: trigger update sysctl
command: /bin/true
shell: /bin/true
changed_when: false
check_mode: false
notify: update sysctl
@ -29,7 +29,7 @@
- sysctl
- name: trigger update auditd
command: /bin/true
shell: /bin/true
notify: update auditd
changed_when: false
check_mode: false

4
tasks/post_remediation_audit.yml
View file

@ -17,7 +17,7 @@
- name: Post Audit | Capture audit data if json format
block:
- name: "capture data {{ post_audit_outfile }}"
command: "cat {{ post_audit_outfile }}"
shell: "cat {{ post_audit_outfile }}"
register: post_audit
changed_when: false
@ -32,7 +32,7 @@
- name: Post Audit | Capture audit data if documentation format
block:
- name: "Post Audit | capture data {{ post_audit_outfile }}"
command: "tail -2 {{ post_audit_outfile }}"
shell: "tail -2 {{ post_audit_outfile }}"
register: post_audit
changed_when: false

12
tasks/pre_remediation_audit.yml
View file

@ -59,11 +59,11 @@
path: "{{ audit_bin }}"
register: goss_available
- name: Pre Audit | If audit ensure goss is available
- name: Pre Audit | Alert if goss not available
assert:
msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
when:
- not goss_available.stat.exists
that: goss_available.stat.exists
fail_msg: "Audit binary file {{ audit_bin }} does not exist"
success_msg: "Audit binary file {{ audit_bin }} exists"
when:
- run_audit
@ -92,7 +92,7 @@
- name: Pre Audit | Capture audit data if json format
block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}"
command: "cat {{ pre_audit_outfile }}"
shell: "cat {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false
@ -107,7 +107,7 @@
- name: Pre Audit | Capture audit data if documentation format
block:
- name: "Pre Audit | capture data {{ pre_audit_outfile }}"
command: "tail -2 {{ pre_audit_outfile }}"
shell: "tail -2 {{ pre_audit_outfile }}"
register: pre_audit
changed_when: false

28
tasks/prelim.yml
View file

@ -2,7 +2,7 @@
# Preliminary tasks that should always be run
# List users in order to look files inside each home directory
- name: "PRELIM | List users accounts"
command: "awk -F: '{print $1}' /etc/passwd"
shell: "awk -F: '{print $1}' /etc/passwd"
args:
warn: no
changed_when: no
@ -48,7 +48,11 @@
package:
name: audit
state: present
when: rhel9cis_level_2
become: true
when:
- rhel9cis_level_2 or
rhel9cis_rule_4_1_1_1
- '"auditd" not in ansible_facts.packages'
- name: "PRELIM | 4.1.12 | Ensure successful file system mounts are collected"
shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
@ -63,16 +67,23 @@
package:
name: cronie
state: present
become: true
when:
- rhel9cis_rule_5_1_1
- '"cronie" not in ansible_facts.packages'
- name: "PRELIM | Install authconfig"
package:
name: authconfig
state: present
become: true
when:
- rhel9cis_use_authconfig
- rhel9cis_rule_5_3_1 or
rhel9cis_rule_5_3_2 or
rhel9cis_rule_5_3_3
rhel9cis_rule_5_3_3 or
'"authconfig" not in ansible_facts.packages' or
'"auditd-lib" not in ansible_facts.packages'
- name: "PRELIM | Set facts based on boot type"
block:
@ -92,26 +103,17 @@
grub2_path: /etc/grub2-efi.cfg
when: rhel_09_efi_boot.stat.exists
# - name: debug legacy boot var
# debug:
# msg: |
# legacy_boot={{ rhel9cis_legacy_boot }}
# grub2_path={{ grub2_path }}
- name: "PRELIM | AUDIT | Ensure permissions on bootloader config are configured | Get grub config file stats"
stat:
path: "{{ grub2_path }}"
changed_when: false
register: grub_cfg
# - name: debug grub stat
# debug:
# var: grub_cfg.stat
- name: "PRELIM | Check for rhnsd service"
shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
changed_when: false
check_mode: false
become: true
register: rhnsd_service_status
when:
- rhel9cis_rule_1_2_2

4
tasks/section_1/cis_1.2.x.yml
View file

@ -37,7 +37,7 @@
- rule_1.2.2
- name: "1.2.3 | L1 | AUDIT | Ensure GPG keys are configured"
command: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
shell: gpg --quiet --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-{{ ansible_distribution|lower }}-release
when:
- rhel9cis_rule_1_2_3
- ansible_distribution == "RedHat"
@ -76,7 +76,7 @@
- name: "1.2.5 | L1 | Ensure package manager repositories are configured"
block:
- name: "1.2.5 | L1 | AUDIT | Ensure package manager repositories are configured | Get repo list"
command: dnf repolist
shell: dnf repolist
changed_when: false
failed_when: false
register: dnf_configured

2
tasks/section_1/cis_1.4.x.yml
View file

@ -8,7 +8,7 @@
state: present
- name: "1.4.1 | L1 | PATCH | Ensure AIDE is installed | Configure AIDE"
command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
changed_when: false
failed_when: false
async: 45

2
tasks/section_3/cis_3.4.2.x.yml
View file

@ -45,7 +45,7 @@
- rule_3_4_2_3
- name: "3.4.2.4 | L1 | PATCH | Ensure default zone is set"
command: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
shell: firewall-cmd --set-default-zone="{{ rhel9cis_default_zone }}"
when:
- rhel9cis_firewall == "firewalld"
- rhel9cis_rule_3_4_2_4

34
tasks/section_3/cis_3.4.3.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "3.4.3.1 | L1 | PATCH | Ensure iptables are flushed with nftables"
command: ip6tables -F
shell: ip6tables -F
when:
- rhel9cis_rule_3_4_3_1
- rhel9cis_firewall != "iptables"
@ -15,7 +15,7 @@
- name: "3.4.3.2 | L1 | AUDIT | Ensure an nftables table exists"
block:
- name: "3.4.3.2 | L1 | AUDIT | Ensure a table exists | Check for tables"
command: nft list tables
shell: nft list tables
changed_when: false
failed_when: false
register: rhel9cis_3_4_3_2_nft_tables
@ -31,13 +31,13 @@
debug:
msg:
- "Warning! You currently have no nft tables, please review your setup"
- 'Use the command "nft create table inet <table name>" to create a new table'
- 'Use the shell "nft create table inet <table name>" to create a new table'
when:
- rhel9cis_3_4_3_2_nft_tables.stdout | length == 0
- not rhel9cis_nft_tables_autonewtable
- name: "3.4.3.2 | L1 | PATCH | Ensure a table exists | Create table if needed"
command: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
shell: nft create table inet "{{ rhel9cis_nft_tables_tablename }}"
failed_when: no
when: rhel9cis_nft_tables_autonewtable
when:
@ -120,15 +120,15 @@
register: rhel9cis_3_4_3_4_ip6saddr
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input iif lo accept
when: '"iif \"lo\" accept" not in rhel9cis_3_4_3_4_iiflo.stdout'
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ipsaddr.stdout'
- name: "3.4.3.4 | L1 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel9cis_3_4_3_4_ip6saddr.stdout'
when:
- rhel9cis_firewall == "nftables"
@ -154,27 +154,27 @@
register: rhel9cis_3_4_3_5_outconnectionrule
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
when: '"ip protocol tcp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
when: '"ip protocol udp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
when: '"ip protocol icmp ct state established accept" not in rhel9cis_3_4_3_5_inconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
when: '"ip protocol tcp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
when: '"ip protocol udp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
- name: "3.4.3.5 | L1 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
when: '"ip protocol icmp ct state established,related,new accept" not in rhel9cis_3_4_3_5_outconnectionrule.stdout'
when:
- rhel9cis_firewall == "nftables"
@ -212,19 +212,19 @@
register: rhel9cis_3_4_3_6_sshallowcheck
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
command: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
shell: nft add rule inet "{{ rhel9cis_nft_tables_tablename }}" input tcp dport ssh accept
when: '"tcp dport ssh accept" not in rhel9cis_3_4_3_6_sshallowcheck.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" input { policy drop \; }
when: '"type filter hook input priority 0; policy drop;" not in rhel9cis_3_4_3_6_inputpolicy.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" forward { policy drop \; }
when: '"type filter hook forward priority 0; policy drop;" not in rhel9cis_3_4_3_6_forwardpolicy.stdout'
- name: "3.4.3.6 | L1 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
command: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
shell: nft chain inet "{{ rhel9cis_nft_tables_tablename }}" output { policy drop \; }
when: '"type filter hook output priority 0; policy drop;" not in rhel9cis_3_4_3_6_outputpolicy.stdout'
when:
- rhel9cis_firewall == "nftables"

12
tasks/section_3/cis_3.5.yml
View file

@ -3,23 +3,21 @@
- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled"
block:
- name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
command: rpm -q NetworkManager
changed_when: false
failed_when: false
shell: rpm -q NetworkManager
# changed_when: false
# failed_when: false
check_mode: no
args:
warn: no
register: rhel_09_nmcli_available
- name: "3.5 | L1 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
command: nmcli radio wifi
shell: nmcli radio wifi
register: rhel_09_wifi_enabled
changed_when: rhel_09_wifi_enabled.stdout != "disabled"
failed_when: false
when: rhel_09_nmcli_available.rc == 0
- name: "3.5 | L1 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
command: nmcli radio all off
shell: nmcli radio all off
changed_when: false
failed_when: false
when: rhel_09_wifi_enabled is changed

2
tasks/section_4/cis_4.2.1.x.yml
View file

@ -43,7 +43,7 @@
- name: "4.2.1.4 | L1 | PATCH | Ensure logging is configured"
block:
- name: "4.2.1.4 | L1 | AUDIT | Ensure logging is configured | rsyslog current config message out"
command: cat /etc/rsyslog.conf
shell: cat /etc/rsyslog.conf
become: yes
changed_when: false
failed_when: no

2
tasks/section_4/cis_4.2.3.yml
View file

@ -1,7 +1,7 @@
---
- name: "4.2.3 | L1 | PATCH | Ensure permissions on all logfiles are configured"
command: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
changed_when: false
failed_when: false
when:

6
tasks/section_5/cis_5.5.1.x.yml
View file

@ -52,7 +52,7 @@
register: rhel9cis_5_5_1_4_inactive_settings
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
- name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
@ -62,7 +62,7 @@
changed_when: false
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
with_items:
- "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
when:
@ -102,7 +102,7 @@
- not rhel9cis_futurepwchgdate_autofix
- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
command: passwd --expire {{ item }}
shell: passwd --expire {{ item }}
when:
- rhel9cis_5_5_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix

2
tasks/section_5/cis_5.5.x.yml
View file

@ -63,7 +63,7 @@
- rule_5.5.3
- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
command: usermod -g 0 root
shell: usermod -g 0 root
changed_when: false
failed_when: false
when:

2
tasks/section_5/cis_5.6.yml
View file

@ -9,7 +9,7 @@
register: rhel9cis_securetty_check
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
command: cat /etc/securetty
shell: cat /etc/securetty
changed_when: false
register: rhel_09_5_6_audit
when: rhel9cis_securetty_check.stat.exists

4
tasks/section_6/cis_6.1.x.yml
View file

@ -182,7 +182,7 @@
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist"
block:
- name: "6.1.11 | L1 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
command: find "{{ item.mount }}" -xdev -nouser
shell: find "{{ item.mount }}" -xdev -nouser
check_mode: false
failed_when: false
changed_when: false
@ -208,7 +208,7 @@
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist"
block:
- name: "6.1.12 | L1 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
command: find "{{ item.mount }}" -xdev -nogroup
shell: find "{{ item.mount }}" -xdev -nogroup
check_mode: false
failed_when: false
changed_when: false

16
tasks/section_6/cis_6.2.x.yml
View file

@ -1,7 +1,7 @@
---
- name: "6.2.1 | L1 | AUDIT | Ensure password fields are not empty"
command: passwd -l {{ item }}
shell: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ empty_password_accounts.stdout_lines }}"
@ -15,7 +15,7 @@
- rule_6.2.1
- name: "6.2.2 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/passwd"
command: sed -i '/^+/ d' /etc/passwd
shell: sed -i '/^+/ d' /etc/passwd
changed_when: false
failed_when: false
when:
@ -74,7 +74,7 @@
- rule_6.2.3
- name: "6.2.4 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/shadow"
command: sed -i '/^+/ d' /etc/shadow
shell: sed -i '/^+/ d' /etc/shadow
changed_when: false
failed_when: false
when:
@ -87,7 +87,7 @@
- skip_ansible_lint
- name: "6.2.5 | L1 | PATCH | Ensure no legacy '+' entries exist in /etc/group"
command: sed -i '/^+/ d' /etc/group
shell: sed -i '/^+/ d' /etc/group
changed_when: false
failed_when: false
when:
@ -100,7 +100,7 @@
- skip_ansible_lint
- name: "6.2.6 | L1 | PATCH | Ensure root is the only UID 0 account"
command: passwd -l {{ item }}
shell: passwd -l {{ item }}
changed_when: false
failed_when: false
with_items: "{{ uid_zero_accounts_except_root.stdout_lines }}"
@ -122,7 +122,7 @@
register: rhel_09_6_2_7_audit
- name: "6.2.7 | L1 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_09_6_2_7_patch_audit.stdout | length > 0
register: rhel_09_6_2_7_patch_audit
@ -251,7 +251,7 @@
- rule_6.2.11
- name: "6.2.12 | L1 | PATCH | Ensure users' .netrc Files are not group or world accessible"
command: /bin/true
shell: /bin/true
changed_when: false
failed_when: false
when:
@ -464,7 +464,7 @@
with_items: "{{ rhel9cis_passwd | selectattr('uid', '>=', rhel9cis_int_gid) | selectattr('uid', '!=', 65534) | map(attribute='dir') | list }}"
- name: "6.2.20 | L1 | AUDIT | Ensure all users' home directories exist"
command: find -H {{ item.0 | quote }} -not -type l -perm /027
shell: find -H {{ item.0 | quote }} -not -type l -perm /027
check_mode: false
changed_when: rhel_09_6_2_20_patch_audit.stdout | length > 0
register: rhel_09_6_2_20_patch_audit