sr2/RHEL9-CIS
4
0
Fork 0
forked from ansible-lockdown/RHEL9-CIS
Code Activity

replaced command with shell

Browse source 
Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
This commit is contained in:
Mark Bolwell 2022-01-13 11:27:26 +00:00
parent ac42f8a28f
commit 3b19db6812
No known key found for this signature in database
GPG key ID: F734FDFC154B83FB
19 changed files with 75 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

6
tasks/section_5/cis_5.5.1.x.yml
View file

@ -52,7 +52,7 @@
register: rhel9cis_5_5_1_4_inactive_settings
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
- name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
@ -62,7 +62,7 @@
changed_when: false
- name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
with_items:
- "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
when:
@ -102,7 +102,7 @@
- not rhel9cis_futurepwchgdate_autofix
- name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
command: passwd --expire {{ item }}
shell: passwd --expire {{ item }}
when:
- rhel9cis_5_5_1_5_user_list | length > 0
- rhel9cis_futurepwchgdate_autofix

2
tasks/section_5/cis_5.5.x.yml
View file

@ -63,7 +63,7 @@
- rule_5.5.3
- name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
command: usermod -g 0 root
shell: usermod -g 0 root
changed_when: false
failed_when: false
when:

2
tasks/section_5/cis_5.6.yml
View file

@ -9,7 +9,7 @@
register: rhel9cis_securetty_check
- name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
command: cat /etc/securetty
shell: cat /etc/securetty
changed_when: false
register: rhel_09_5_6_audit
when: rhel9cis_securetty_check.stat.exists