linting updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

.ansible-lint

@@ -3,20 +3,20 @@
 parseable: true
 quiet: true
 skip_list:
-    - 'schema'
+  - 'schema'
-    - 'no-changed-when'
+  - 'no-changed-when'
-    - 'var-spacing'
+  - 'var-spacing'
-    - 'experimental'
+  - 'experimental'
-    - 'name[play]'
+  - 'name[play]'
-    - 'name[casing]'
+  - 'name[casing]'
-    - 'name[template]'
+  - 'name[template]'
-    - 'key-order[task]'
+  - 'key-order[task]'
-    - '204'
+  - '204'
-    - '305'
+  - '305'
-    - '303'
+  - '303'
-    - '403'
+  - '403'
-    - '306'
+  - '306'
-    - '602'
+  - '602'
-    - '208'
+  - '208'
 use_default_rules: true
 verbosity: 0

.config/.gitleaks-report.json

@@ -1,322 +0,0 @@
-[
- {
-  "Description": "Generic API Key",
-  "StartLine": 119,
-  "EndLine": 119,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"",
-  "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
-  "Entropy": 3.853056,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-26T15:51:17Z",
-  "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:119"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 127,
-  "EndLine": 127,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"",
-  "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
-  "Entropy": 3.6568441,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-26T15:51:17Z",
-  "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:127"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 135,
-  "EndLine": 135,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"",
-  "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
-  "Entropy": 3.5221736,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-26T15:51:17Z",
-  "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:135"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 145,
-  "EndLine": 145,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"",
-  "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
-  "Entropy": 3.6348295,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-26T15:51:17Z",
-  "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:145"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 153,
-  "EndLine": 153,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"",
-  "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
-  "Entropy": 3.646039,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-26T15:51:17Z",
-  "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:153"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 163,
-  "EndLine": 163,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
-  "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "495f942b7d26ee82690dc16eb4f231c587a57687",
-  "Entropy": 3.8439426,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-26T15:51:17Z",
-  "Message": "added pre-commit files\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "495f942b7d26ee82690dc16eb4f231c587a57687:.secrets.baseline:generic-api-key:163"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 119,
-  "EndLine": 119,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8\"",
-  "Secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
-  "Entropy": 3.853056,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-04T16:08:02Z",
-  "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:119"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 127,
-  "EndLine": 127,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"fe96f7cfa2ab2224e7d015067a6f6cc713f7012e\"",
-  "Secret": "fe96f7cfa2ab2224e7d015067a6f6cc713f7012e",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
-  "Entropy": 3.6568441,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-04T16:08:02Z",
-  "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:127"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 135,
-  "EndLine": 135,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"a415ab5cc17c8c093c015ccdb7e552aee7911aa4\"",
-  "Secret": "a415ab5cc17c8c093c015ccdb7e552aee7911aa4",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
-  "Entropy": 3.5221736,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-04T16:08:02Z",
-  "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:135"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 145,
-  "EndLine": 145,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"2478fefdceefe2847c3aa36dc731aaad5b3cc2fb\"",
-  "Secret": "2478fefdceefe2847c3aa36dc731aaad5b3cc2fb",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
-  "Entropy": 3.6348295,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-04T16:08:02Z",
-  "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:145"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 153,
-  "EndLine": 153,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"64411efd0f0561fe4852c6e414071345c9c6432a\"",
-  "Secret": "64411efd0f0561fe4852c6e414071345c9c6432a",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
-  "Entropy": 3.646039,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-04T16:08:02Z",
-  "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:153"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 163,
-  "EndLine": 163,
-  "StartColumn": 18,
-  "EndColumn": 68,
-  "Match": "secret\": \"2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360\"",
-  "Secret": "2aaf9f2a51d8fe89e48cb9cc7d04a991ceb7f360",
-  "File": ".secrets.baseline",
-  "SymlinkFile": "",
-  "Commit": "7452e78f487c0b2cacfb81ccf582936a6ab09389",
-  "Entropy": 3.8439426,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-07-04T16:08:02Z",
-  "Message": "signature new precommits\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "7452e78f487c0b2cacfb81ccf582936a6ab09389:.secrets.baseline:generic-api-key:163"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 3,
-  "EndLine": 4,
-  "StartColumn": 9,
-  "EndColumn": 1,
-  "Match": "key_pubkey_name: gpg-pubkey-8d8b756f-629e59ec",
-  "Secret": "gpg-pubkey-8d8b756f-629e59ec",
-  "File": "vars/OracleLinux.yml",
-  "SymlinkFile": "",
-  "Commit": "e04da88df42da0108d489f359513c574fbe5c87a",
-  "Entropy": 3.96772,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2023-03-06T11:22:08Z",
-  "Message": "Added OracleLinux support\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "e04da88df42da0108d489f359513c574fbe5c87a:vars/OracleLinux.yml:generic-api-key:3"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 4,
-  "EndLine": 5,
-  "StartColumn": 8,
-  "EndColumn": 1,
-  "Match": "key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b",
-  "Secret": "gpg-pubkey-fd431d51-4ae0493b",
-  "File": "vars/RedHat.yml",
-  "SymlinkFile": "",
-  "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a",
-  "Entropy": 3.96772,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2022-07-25T10:26:27Z",
-  "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/RedHat.yml:generic-api-key:4"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 4,
-  "EndLine": 5,
-  "StartColumn": 8,
-  "EndColumn": 1,
-  "Match": "key_pubkey_name: gpg-pubkey-b86b3716-61e69f29",
-  "Secret": "gpg-pubkey-b86b3716-61e69f29",
-  "File": "vars/AlmaLinux.yml",
-  "SymlinkFile": "",
-  "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a",
-  "Entropy": 3.824863,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2022-07-25T10:26:27Z",
-  "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/AlmaLinux.yml:generic-api-key:4"
- },
- {
-  "Description": "Generic API Key",
-  "StartLine": 4,
-  "EndLine": 5,
-  "StartColumn": 8,
-  "EndColumn": 1,
-  "Match": "key_pubkey_name: gpg-pubkey-350d275d-6279464b",
-  "Secret": "gpg-pubkey-350d275d-6279464b",
-  "File": "vars/Rocky.yml",
-  "SymlinkFile": "",
-  "Commit": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a",
-  "Entropy": 3.9946804,
-  "Author": "Mark Bolwell",
-  "Email": "mark.bollyuk@gmail.com",
-  "Date": "2022-07-25T10:26:27Z",
-  "Message": "1.2.2 rpm gpg key check\n\nSigned-off-by: Mark Bolwell \u003cmark.bollyuk@gmail.com\u003e",
-  "Tags": [],
-  "RuleID": "generic-api-key",
-  "Fingerprint": "28bbc2ff5f832d150452e9dc4cb6667b876ed09a:vars/Rocky.yml:generic-api-key:4"
- }
-]

.config/.secrets.baseline

@@ -1,119 +0,0 @@
-{
-  "version": "1.4.0",
-  "plugins_used": [
-    {
-      "name": "ArtifactoryDetector"
-    },
-    {
-      "name": "AWSKeyDetector"
-    },
-    {
-      "name": "AzureStorageKeyDetector"
-    },
-    {
-      "name": "Base64HighEntropyString",
-      "limit": 4.5
-    },
-    {
-      "name": "BasicAuthDetector"
-    },
-    {
-      "name": "CloudantDetector"
-    },
-    {
-      "name": "DiscordBotTokenDetector"
-    },
-    {
-      "name": "GitHubTokenDetector"
-    },
-    {
-      "name": "HexHighEntropyString",
-      "limit": 3.0
-    },
-    {
-      "name": "IbmCloudIamDetector"
-    },
-    {
-      "name": "IbmCosHmacDetector"
-    },
-    {
-      "name": "JwtTokenDetector"
-    },
-    {
-      "name": "KeywordDetector",
-      "keyword_exclude": ""
-    },
-    {
-      "name": "MailchimpDetector"
-    },
-    {
-      "name": "NpmDetector"
-    },
-    {
-      "name": "PrivateKeyDetector"
-    },
-    {
-      "name": "SendGridDetector"
-    },
-    {
-      "name": "SlackDetector"
-    },
-    {
-      "name": "SoftlayerDetector"
-    },
-    {
-      "name": "SquareOAuthDetector"
-    },
-    {
-      "name": "StripeDetector"
-    },
-    {
-      "name": "TwilioKeyDetector"
-    }
-  ],
-  "filters_used": [
-    {
-      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
-    },
-    {
-      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
-      "min_level": 2
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_lock_file"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_sequential_string"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_swagger_file"
-    },
-    {
-      "path": "detect_secrets.filters.heuristic.is_templated_secret"
-    },
-    {
-      "path": "detect_secrets.filters.regex.should_exclude_file",
-      "pattern": [
-        ".config/.gitleaks-report.json",
-        "tasks/parse_etc_password.yml"
-      ]
-    }
-  ],
-  "results": {},
-  "generated_at": "2023-09-21T14:11:05Z"
-}

.config/requirements.txt

@@ -1,5 +0,0 @@
-passlib
-lxml
-xmltodict
-jmespath
-yamllint

.yamllint

@@ -9,25 +9,25 @@ ignore: |
     *molecule.yml
 
 rules:
-    indentation:
+  indentation:
-        # Requiring 4 space indentation
+    # Requiring 4 space indentation
-        spaces: 2
+    spaces: 2
-        # Requiring consistent indentation within a file, either indented or not
+    # Requiring consistent indentation within a file, either indented or not
-        indent-sequences: consistent
+    indent-sequences: consistent
-    braces:
+  braces:
-        max-spaces-inside: 1
+    max-spaces-inside: 1
-        level: error
+    level: error
-    brackets:
+  brackets:
-        max-spaces-inside: 1
+    max-spaces-inside: 1
-        level: error
+    level: error
-    empty-lines:
+  empty-lines:
-        max: 1
+    max: 1
-    line-length: disable
+  line-length: disable
-    key-duplicates: enable
+  key-duplicates: enable
-    new-line-at-end-of-file: enable
+  new-line-at-end-of-file: enable
-    new-lines:
+  new-lines:
-        type: unix
+    type: unix
-    trailing-spaces: enable
+  trailing-spaces: enable
-    truthy:
+  truthy:
-        allowed-values: ['true', 'false']
+    allowed-values: ['true', 'false']
-        check-keys: true
+    check-keys: true

collections/requirements.yml

@@ -1,14 +1,14 @@
 ---
 
 collections:
-    - name: community.general
+  - name: community.general
-      source: https://github.com/ansible-collections/community.general
+    source: https://github.com/ansible-collections/community.general
-      type: git
+    type: git
 
-    - name: community.crypto
+  - name: community.crypto
-      source: https://github.com/ansible-collections/community.crypto
+    source: https://github.com/ansible-collections/community.crypto
-      type: git
+    type: git
 
-    - name: ansible.posix
+  - name: ansible.posix
-      source: https://github.com/ansible-collections/ansible.posix
+    source: https://github.com/ansible-collections/ansible.posix
-      type: git
+    type: git

defaults/main.yml

@@ -858,10 +858,9 @@ rhel9cis_allow_authselect_updates: true
 ##
 rhel9cis_authselect_pkg_update: false  # NOTE the risks if system is using SSSD or using ipa-client-install
 
-
 ## PAM AND Authselect
 
-# To create a new profile (best for greenfield fresh sites not configured)
+# To create a new profile (best for greenfield fresh sites not configured)
 # This allows creation of a custom profile using an existing one to build from
 # will only create if profiel does not already exist
 ## options true or false
@@ -914,9 +913,9 @@ rhel9cis_passwd_complex_file: etc/security/pwquality.conf.d/50-pwcomplexity.conf
 # Choose if using minclass or credits options
 # Options are: minclass or credits
 # ensure only one is selected
-rhel9cis_passwd_complex_option: minclass
+rhel9cis_passwd_complex_option: minclass  # pragma: allowlist secret
 rhel9cis_passwd_minclass: 3
-#rhel9cis_passwd_complex: credits
+# rhel9cis_passwd_complex: credits
 rhel9cis_passwd_dcredit: -1
 rhel9cis_passwd_ucredit: -2
 rhel9cis_passwd_ocredit: 0
@@ -950,18 +949,17 @@ rhel9cis_pamd_pwhistory_remember: 24
 # 5.3.3.4.x
 rhel9cis_passwd_hash_algo: sha512  # pragma: allowlist secret
 
-## Section 5.4.1.x: Shadow Password Suite Parameters
+## Control 5.6.1.1 - Ensure password expiration is 365 days or less
-  ## Control 5.6.1.1 - Ensure password expiration is 365 days or less
+# This variable governs after how many days a password expires.
-  # This variable governs after how many days a password expires.
+# CIS requires a value of 365 or less.
-  # CIS requires a value of 365 or less.
 rhel9cis_pass_max_days: 365
-  ## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
+## Control 5.6.1.2 - Ensure minimum days between password changes is 7 or more
-  # This variable specifies the minimum number of days allowed between changing
+# This variable specifies the minimum number of days allowed between changing
-  # passwords. CIS requires a value of at least 1.
+# passwords. CIS requires a value of at least 1.
 rhel9cis_pass_min_days: 7
-  ## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
+## Control 5.6.1.3 - Ensure password expiration warning days is 7 or more
-  # This variable governs, how many days before a password expires, the user will be warned.
+# This variable governs, how many days before a password expires, the user will be warned.
-  # CIS requires a value of at least 7.
+# CIS requires a value of at least 7.
 rhel9cis_pass_warn_age: 7
 
 ## Control 5.4.1.x - Ensure inactive password lock is 30 days or less

tasks/main.yml

@@ -114,26 +114,26 @@
 
 - name: "PRELIM | AUDIT | Check authselect profile is selected"
   when:
-      - rhel9cis_allow_authselect_updates
+    - rhel9cis_allow_authselect_updates
   tags:
-      - always
+    - always
   block:
-      - name: "PRELIM | AUDIT | Check authselect profile name has been updated"
+    - name: "PRELIM | AUDIT | Check authselect profile name has been updated"
-        ansible.builtin.assert:
+      ansible.builtin.assert:
-          that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
+        that: rhel9cis_authselect_custom_profile_name != 'cis_example_profile'
-          fail_msg: "You still have the default name for your authselect profile"
+        fail_msg: "You still have the default name for your authselect profile"
 
-      - name: "PRELIM | AUDIT | Check authselect profile is selected"
+    - name: "PRELIM | AUDIT | Check authselect profile is selected"
-        ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
+      ansible.builtin.shell: authselect current | head -1 | awk '{print $NF}'
-        changed_when: false
+      changed_when: false
-        failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
+      failed_when: prelim_authselect_current_profile.rc not in [ 0, 1 ]
-        register: prelim_authselect_current_profile
+      register: prelim_authselect_current_profile
 
-      - name: "PRELIM | AUDIT | Check authselect profile is selected"
+    - name: "PRELIM | AUDIT | Check authselect profile is selected"
-        ansible.builtin.assert:
+      ansible.builtin.assert:
-          that: prelim_authselect_current_profile is defined
+        that: prelim_authselect_current_profile is defined
-          success_msg: "Authselect is running and profile is selected"
+        success_msg: "Authselect is running and profile is selected"
-          fail_msg: Authselect updates have been selected there are issues with profile selection"
+        fail_msg: Authselect updates have been selected there are issues with profile selection"
 
 - name: "Ensure root password is set"
   when:

tasks/parse_etc_password.yml

@@ -17,7 +17,7 @@
       vars:
         ld_passwd_regex: >-
           ^(?P<id>[^:]*):(?P<password>[^:]*):(?P<uid>[^:]*):(?P<gid>[^:]*):(?P<gecos>[^:]*):(?P<dir>[^:]*):(?P<shell>[^:]*)
-        ld_passwd_yaml: |
+        ld_passwd_yaml: |  # pragma: allowlist secret
           id: >-4
               \g<id>
           password: >-4

tasks/section_1/cis_1.6.x.yml

@@ -55,12 +55,12 @@
         owner: root
         group: root
         mode: '0640'
-      register: NO_SHA1_TEMPLATE
+      register: no_sha1_template
 
     - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
       ansible.builtin.set_fact:
         rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}"
-      changed_when: NO_SHA1_TEMPLATE is defined
+      changed_when: no_sha1_template is defined
       notify:
         - Update Crypto Policy
         - Set Crypto Policy
@@ -79,8 +79,6 @@
     - NIST800-53R5_SC-6
   block:
 
-    - ansible.builtin.debug:
-        msg: "{{ rhel9cis_crypto_policy_module }}"
     - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | Add submodule exclusion"
       ansible.builtin.template:
         src: etc/crypto-policies/policies/modules/NO-WEAKMAC.pmod.j2
@@ -88,12 +86,12 @@
         owner: root
         group: root
         mode: '0640'
-      register: NO_WEAKMAC_TEMPLATE
+      register: no_weakmac_template
 
     - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
       ansible.builtin.set_fact:
         rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}"
-      changed_when: NO_WEAKMAC_TEMPLATE is defined
+      changed_when: no_weakmac_template is defined
       notify:
         - Update Crypto Policy
         - Set Crypto Policy
@@ -111,8 +109,6 @@
     - rule_1.6.5
     - NIST800-53R5_SC-6
   block:
-    - ansible.builtin.debug:
-        msg: "{{ rhel9cis_crypto_policy_module }}"
     - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | Add submodule exclusion"
       ansible.builtin.template:
         src: etc/crypto-policies/policies/modules/NO-SSHCBC.pmod.j2
@@ -120,12 +116,12 @@
         owner: root
         group: root
         mode: '0640'
-      register: NO_SSHCBC_TEMPLATE
+      register: no_sshcbc_template
 
     - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
       ansible.builtin.set_fact:
         rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}"
-      changed_when: NO_SSHCBC_TEMPLATE is defined
+      changed_when: no_sshcbc_template is defined
       notify:
         - Update Crypto Policy
         - Set Crypto Policy
@@ -143,8 +139,6 @@
     - rule_1.6.6
     - NIST800-53R5_SC-6
   block:
-    - ansible.builtin.debug:
-        msg: "{{ rhel9cis_crypto_policy_module }}"
     - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | Add submodule exclusion"
       ansible.builtin.template:
         src: etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod.j2
@@ -152,12 +146,12 @@
         owner: root
         group: root
         mode: '0640'
-      register: NO_SSHWEAKCIPHERS_TEMPLATE
+      register: no_sshweakciphers_template
 
     - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
       ansible.builtin.set_fact:
         rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
-      changed_when: NO_SSHWEAKCIPHERS_TEMPLATE is defined
+      changed_when: no_sshweakciphers_template is defined
       notify:
         - Update Crypto Policy
         - Set Crypto Policy
@@ -175,8 +169,6 @@
     - rule_1.6.7
     - NIST800-53R5_SC-6
   block:
-    - ansible.builtin.debug:
-        msg: "{{ rhel9cis_crypto_policy_module }}"
     - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | Add submodule exclusion"
       ansible.builtin.template:
         src: etc/crypto-policies/policies/modules/NO-SSHETM.pmod.j2
@@ -184,12 +176,12 @@
         owner: root
         group: root
         mode: '0640'
-      register: NO_SSHETM_TEMPLATE
+      register: no_sshetm_template
 
     - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
       ansible.builtin.set_fact:
         rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}"
-      changed_when: NO_SSHETM_TEMPLATE is defined
+      changed_when: no_sshetm_template is defined
       notify:
         - Update Crypto Policy
         - Set Crypto Policy

tasks/section_5/cis_5.3.2.x.yml

@@ -139,9 +139,6 @@
       failed_when: rhel9cis_authselect_pam_unix.rc not in [ 0, 1 ]
       register: rhel9cis_authselect_pam_unix
 
-    - debug:
-        msg: "{{ rhel9cis_authselect_pam_unix }}"
-
     - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled | system-auth"
       when: "'system-auth:password' not in rhel9cis_authselect_pam_unix.stdout"
       ansible.builtin.lineinfile:

tasks/section_6/cis_6.2.3.x.yml

@@ -263,7 +263,7 @@
     - name: "6.2.3.8 | PATCH | Ensure logrotate is configured | set rsyslog conf"
       ansible.builtin.template:
         src: etc/logrotate.d/rsyslog.conf.j2
-        dest:  /etc/logrotate.d/rsyslog.conf
+        dest: /etc/logrotate.d/rsyslog.conf
         owner: root
         group: root
         mode: '0640'

vars/main.yml

@@ -29,7 +29,6 @@ gpg_key_package: "{{ ansible_facts.distribution | lower }}-gpg-keys"
 # NOTE: The current default value is likely to be overriden(via 'set_fact') by other further tasks(in sub-section 'Auditd rules').
 update_audit_template: false
 
-
 # Defaults
 ## Usage on containerized images
 # The role discovers dynamically (in tasks/main.yml) whether it