consistent lineinfile usage

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_1/cis_1.1.1.x.yml

@@ -4,7 +4,7 @@
   block:
       - name: "1.1.1.1 | PATCH | Ensure mounting of cramfs filesystems is disabled | Edit modprobe config"
         lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install cramfs(\\s|$)"
             line: "install cramfs /bin/true"
             create: yes
@@ -29,7 +29,7 @@
   block:
       - name: "1.1.1.2 | PATCH | Ensure mounting of squashfs filesystems is disabled | Edit modprobe config"
         lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install squashfs(\\s|$)"
             line: "install squashfs /bin/true"
             create: yes
@@ -54,7 +54,7 @@
   block:
       - name: "1.1.1.3 | PATCH | Ensure mounting of udf filesystems is disable | Edit modprobe config"
         lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install udf(\\s|$)"
             line: "install udf /bin/true"
             create: yes

tasks/section_1/cis_1.1.x.yml

@@ -21,7 +21,7 @@
   block:
       - name: "1.1.10 | PATCH | Disable USB Storage | Edit modprobe config"
         lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install usb-storage(\\s|$)"
             line: "install usb-storage /bin/true"
             create: yes

tasks/section_1/cis_1.8.x.yml

@@ -17,7 +17,7 @@
 
 - name: "1.8.2 | PATCH | Ensure GDM login banner is configured"
   lineinfile:
-      dest: "{{ item.file }}"
+      path: "{{ item.file }}"
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
       state: present

tasks/section_2/cis_2.1.x.yml

@@ -26,10 +26,9 @@
 
       - name: "2.1.2 | PATCH | Ensure chrony is configured | modify /etc/sysconfig/chronyd | 1"
         lineinfile:
-            dest: /etc/sysconfig/chronyd
+            path: /etc/sysconfig/chronyd
             regexp: "^(#)?OPTIONS"
             line: "OPTIONS=\"-u chrony\""
-            state: present
             create: yes
             mode: 0644
   when:

tasks/section_2/cis_2.2.x.yml

@@ -285,7 +285,7 @@
 
 - name: "2.2.17 | PATCH | Ensure mail transfer agent is configured for local-only mode"
   lineinfile:
-      dest: /etc/postfix/main.cf
+      path: /etc/postfix/main.cf
       regexp: "^(#)?inet_interfaces"
       line: "inet_interfaces = loopback-only"
   notify: restart postfix

tasks/section_3/cis_3.4.2.x.yml

@@ -332,7 +332,6 @@
 - name: "3.4.2.11 | PATCH | Ensure nftables rules are permanent"
   lineinfile:
       path: /etc/sysconfig/nftables.conf
-      state: present
       insertafter: EOF
       line: include "/etc/nftables/inet-{{ rhel9cis_nft_tables_tablename }}"
   when:

tasks/section_4/cis_4.1.2.x.yml

@@ -2,10 +2,9 @@
 
 - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured"
   lineinfile:
-      dest: /etc/audit/auditd.conf
+      path: /etc/audit/auditd.conf
       regexp: "^max_log_file( |=)"
       line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
-      state: present
   notify: restart auditd
   when:
       - rhel9cis_rule_4_1_2_1
@@ -19,10 +18,9 @@
 
 - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted"
   lineinfile:
-      dest: /etc/audit/auditd.conf
+      path: /etc/audit/auditd.conf
       regexp: "^max_log_file_action"
       line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
-      state: present
   notify: restart auditd
   when:
       - rhel9cis_rule_4_1_2_2
@@ -36,10 +34,9 @@
 
 - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full"
   lineinfile:
-      dest: /etc/audit/auditd.conf
+      path: /etc/audit/auditd.conf
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
-      state: present
   notify: restart auditd
   with_items:
       - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }

tasks/section_4/cis_4.2.1.x.yml

@@ -32,10 +32,9 @@
 # This is counter to control 4.2.2.5??
 - name: "4.2.1.3 | PATCH | Ensure journald is configured to send logs to rsyslog"
   lineinfile:
-      dest: /etc/systemd/journald.conf
+      path: /etc/systemd/journald.conf
       regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
       line: ForwardToSyslog=yes
-      state: present
   when:
       - rhel9cis_rule_4_2_1_3
       - rhel9cis_preferred_log_capture == "rsyslog"
@@ -48,7 +47,7 @@
 
 - name: "4.2.1.4 | PATCH | Ensure rsyslog default file permissions configured"
   lineinfile:
-      dest: /etc/rsyslog.conf
+      path: /etc/rsyslog.conf
       regexp: '^\$FileCreateMode'
       line: '$FileCreateMode 0640'
   notify: restart rsyslog

tasks/section_4/cis_4.2.2.x.yml

@@ -97,10 +97,9 @@
 
 - name: "4.2.2.3 | PATCH | Ensure journald is configured to compress large log files"
   lineinfile:
-      dest: /etc/systemd/journald.conf
+      path: /etc/systemd/journald.conf
       regexp: "^#Compress=|^Compress="
       line: Compress=yes
-      state: present
   when:
       - rhel9cis_rule_4_2_2_3
   tags:
@@ -113,10 +112,9 @@
 
 - name: "4.2.2.4 | PATCH | Ensure journald is configured to write logfiles to persistent disk"
   lineinfile:
-      dest: /etc/systemd/journald.conf
+      path: /etc/systemd/journald.conf
       regexp: "^#Storage=|^Storage="
       line: Storage=persistent
-      state: present
   when:
       - rhel9cis_rule_4_2_2_4
   tags:
@@ -130,10 +128,9 @@
 # This is counter to control 4.2.1.3??
 - name: "4.2.2.5 | PATCH | Ensure journald is not configured to send logs to rsyslog"
   lineinfile:
-      dest: /etc/systemd/journald.conf
+      path: /etc/systemd/journald.conf
       regexp: "^ForwardToSyslog="
       line: "#ForwardToSyslog=yes"
-      state: present
   notify: restart systemd_journal_upload
   when:
       - rhel9cis_rule_4_2_2_5

tasks/section_5/cis_5.2.x.yml

@@ -83,8 +83,7 @@
   block:
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowusers"
         lineinfile:
-            state: present
+            path: /etc/ssh/sshd_config
-            dest: /etc/ssh/sshd_config
             regexp: "^AllowUsers"
             line: AllowUsers {{ rhel9cis_sshd['allowusers'] }}
             validate: sshd -t -f %s
@@ -93,8 +92,7 @@
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
         lineinfile:
-            state: present
+            path: /etc/ssh/sshd_config
-            dest: /etc/ssh/sshd_config
             regexp: "^AllowGroups"
             line: AllowGroups {{ rhel9cis_sshd['allowgroups'] }}
             validate: sshd -t -f %s
@@ -103,8 +101,7 @@
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
         lineinfile:
-            state: present
+            path: /etc/ssh/sshd_config
-            dest: /etc/ssh/sshd_config
             regexp: "^DenyUsers"
             line: DenyUsers {{ rhel9cis_sshd['denyusers'] }}
             validate: sshd -t -f %s
@@ -113,8 +110,7 @@
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
         lineinfile:
-            state: present
+            path: /etc/ssh/sshd_config
-            dest: /etc/ssh/sshd_config
             regexp: "^DenyGroups"
             line: DenyGroups {{ rhel9cis_sshd['denygroups'] }}
             validate: sshd -t -f %s
@@ -132,8 +128,7 @@
 
 - name: "5.2.5 | PATCH | Ensure SSH LogLevel is appropriate"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#LogLevel|^LogLevel"
       line: 'LogLevel {{ rhel9cis_ssh_loglevel }}'
       validate: sshd -t -f %s
@@ -149,8 +144,7 @@
 
 - name: "5.2.6 | PATCH | Ensure SSH PAM is enabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#UsePAM|^UsePAM"
       line: 'UsePAM yes'
       validate: sshd -t -f %s
@@ -166,8 +160,7 @@
 
 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#PermitRootLogin|^PermitRootLogin"
       line: 'PermitRootLogin no'
       validate: sshd -t -f %s
@@ -183,8 +176,7 @@
 
 - name: "5.2.8 | PATCH | Ensure SSH HostbasedAuthentication is disabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#HostbasedAuthentication|^HostbasedAuthentication"
       line: 'HostbasedAuthentication no'
       validate: sshd -t -f %s
@@ -200,8 +192,7 @@
 
 - name: "5.2.9 | PATCH | Ensure SSH PermitEmptyPasswords is disabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#PermitEmptyPasswords|^PermitEmptyPasswords"
       line: 'PermitEmptyPasswords no'
       validate: sshd -t -f %s
@@ -217,8 +208,7 @@
 
 - name: "5.2.10 | PATCH | Ensure SSH PermitUserEnvironment is disabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#PermitUserEnvironment|^PermitUserEnvironment"
       line: 'PermitUserEnvironment no'
       validate: sshd -t -f %s
@@ -234,8 +224,7 @@
 
 - name: "5.2.11 | PATCH | Ensure SSH IgnoreRhosts is enabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#IgnoreRhosts|^IgnoreRhosts"
       line: 'IgnoreRhosts yes'
       validate: sshd -t -f %s
@@ -251,8 +240,7 @@
 
 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#X11Forwarding|^X11Forwarding"
       line: 'X11Forwarding no'
       validate: sshd -t -f %s
@@ -268,8 +256,7 @@
 
 - name: "5.2.13 | PATCH | Ensure SSH AllowTcpForwarding is disabled"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#AllowTcpForwarding|^AllowTcpForwarding"
       line: 'AllowTcpForwarding no'
       validate: sshd -t -f %s
@@ -300,8 +287,7 @@
 
 - name: "5.2.15  | PATCH | Ensure SSH warning banner is configured"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: '^Banner'
       line: 'Banner /etc/issue.net'
   when:
@@ -316,8 +302,7 @@
 
 - name: "5.2.16 | PATCH | Ensure SSH MaxAuthTries is set to 4 or less"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: '^(#)?MaxAuthTries \d'
       line: 'MaxAuthTries 4'
       validate: sshd -t -f %s
@@ -333,8 +318,7 @@
 
 - name: "5.2.17 | PATCH | Ensure SSH MaxStartups is configured"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#MaxStartups|^MaxStartups"
       line: 'MaxStartups 10:30:60'
       validate: sshd -t -f %s
@@ -350,8 +334,7 @@
 
 - name: "5.2.18  | PATCH | Ensure SSH MaxSessions is set to 10 or less"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#MaxSessions|^MaxSessions"
       line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}'
       validate: sshd -t -f %s
@@ -367,8 +350,7 @@
 
 - name: "5.2.19 | PATCH | Ensure SSH LoginGraceTime is set to one minute or less"
   lineinfile:
-      state: present
+      path: /etc/ssh/sshd_config
-      dest: /etc/ssh/sshd_config
       regexp: "^#LoginGraceTime|^LoginGraceTime"
       line: "LoginGraceTime {{ rhel9cis_sshd['logingracetime'] }}"
       validate: sshd -t -f %s
@@ -386,16 +368,14 @@
   block:
       - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
         lineinfile:
-            state: present
+            path: /etc/ssh/sshd_config
-            dest: /etc/ssh/sshd_config
             regexp: '^ClientAliveInterval'
             line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
             validate: sshd -t -f %s
 
       - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3"
         lineinfile:
-            state: present
+            path: /etc/ssh/sshd_config
-            dest: /etc/ssh/sshd_config
             regexp: '^ClientAliveCountMax'
             line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}"
             validate: sshd -t -f %s

tasks/section_5/cis_5.3.x.yml

@@ -16,9 +16,8 @@
 
 - name: "5.3.2 | PATCH | Ensure sudo commands use pty"
   lineinfile:
-      dest: /etc/sudoers
+      path: /etc/sudoers
       line: "Defaults    use_pty"
-      state: present
       validate: '/usr/sbin/visudo -cf %s'
   when:
       - rhel9cis_rule_5_3_2
@@ -32,10 +31,9 @@
 
 - name: "5.3.3 | PATCH | Ensure sudo log file exists"
   lineinfile:
-      dest: /etc/sudoers
+      path: /etc/sudoers
       regexp: '^Defaults    logfile='
       line: 'Defaults    logfile="{{ rhel9cis_sudolog_location }}"'
-      state: present
       validate: '/usr/sbin/visudo -cf %s'
   when:
       - rhel9cis_rule_5_3_3
@@ -122,8 +120,7 @@
   block:
       - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
         lineinfile:
-            state: present
+            path: /etc/pam.d/su
-            dest: /etc/pam.d/su
             regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
             line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'
 

tasks/section_5/cis_5.6.1.x.yml

@@ -2,8 +2,7 @@
 
 - name: "5.6.1.1 | PATCH | Ensure password expiration is 365 days or less"
   lineinfile:
-      state: present
+      path: /etc/login.defs
-      dest: /etc/login.defs
       regexp: '^PASS_MAX_DAYS'
       line: "PASS_MAX_DAYS {{ rhel9cis_pass['max_days'] }}"
   when:
@@ -18,8 +17,7 @@
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
   lineinfile:
-      state: present
+      path: /etc/login.defs
-      dest: /etc/login.defs
       regexp: '^PASS_MIN_DAYS'
       line: "PASS_MIN_DAYS {{ rhel9cis_pass['min_days'] }}"
   when:
@@ -34,8 +32,7 @@
 
 - name: "5.6.1.3 | PATCH | Ensure password expiration warning days is 7 or more"
   lineinfile:
-      state: present
+      path: /etc/login.defs
-      dest: /etc/login.defs
       regexp: '^PASS_WARN_AGE'
       line: "PASS_WARN_AGE {{ rhel9cis_pass['warn_age'] }}"
   when: