Merge branch 'lint_dec24' into alignment

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-11 13:36:08 +00:00 · 2024-12-11 13:36:08 +00:00 · 82f7b53a67
commit 82f7b53a67
parent ae228e3f96 6cc43202c8
49 changed files with 375 additions and 606 deletions
--- a/tasks/section_5/cis_5.4.1.x.yml
+++ b/tasks/section_5/cis_5.4.1.x.yml
@ -1,8 +1,7 @@
 ---

 - name: "5.4.1.1 | PATCH | Ensure password expiration is 365 days or less"
-  when:
-    - rhel9cis_rule_5_4_1_1
+  when: rhel9cis_rule_5_4_1_1
  tags:
    - level1-server
    - level1-workstation
@ -38,8 +37,7 @@
      loop: "{{ discovered_max_days.stdout_lines }}"

 - name: "5.4.1.2 | PATCH | Ensure minimum password days is configured"
-  when:
-    - rhel9cis_rule_5_4_1_2
+  when: rhel9cis_rule_5_4_1_2
  tags:
    - level1-server
    - level1-workstation
@ -70,8 +68,7 @@
      loop: "{{ discovered_min_days.stdout_lines }}"

 - name: "5.4.1.3 | PATCH | Ensure password expiration warning days is configured"
-  when:
-    - rhel9cis_rule_5_4_1_3
+  when: rhel9cis_rule_5_4_1_3
  tags:
    - level1-server
    - level1-workstation
@ -101,8 +98,7 @@
      loop: "{{ discovered_warn_days.stdout_lines }}"

 - name: "5.4.1.4 | PATCH | Ensure strong password hashing algorithm is configured"
-  when:
-    - rhel9cis_rule_5_4_1_4
+  when: rhel9cis_rule_5_4_1_4
  tags:
    - level1-server
    - level1-workstation
@ -116,8 +112,7 @@
    line: 'ENCRYPT_METHOD {{ rhel9cis_passwd_hash_algo | upper }}'

 - name: "5.4.1.5 | PATCH | Ensure inactive password lock is configured"
-  when:
-    - rhel9cis_rule_5_4_1_5
+  when: rhel9cis_rule_5_4_1_5
  tags:
    - level1-server
    - level1-workstation
@ -139,7 +134,7 @@
      changed_when: true

    - name: "5.4.1.5 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
-      ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
+      ansible.builtin.command: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
      changed_when: false
      check_mode: false
      register: discovered_passwdlck_user_list
@ -151,8 +146,7 @@
      loop: "{{ discovered_passwdlck_user_list.stdout_lines }}"

 - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past"
-  when:
-    - rhel9cis_rule_5_4_1_6
+  when: rhel9cis_rule_5_4_1_6
  tags:
    - level1-server
    - level1-workstation
@ -190,9 +184,9 @@
        file: warning_facts.yml

    - name: "5.4.1.6 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
-      changed_when: true
      when:
        - discovered_passwdlck_user_future.stdout | length > 0
        - rhel9cis_futurepwchgdate_autofix
-      loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"
      ansible.builtin.command: passwd --expire {{ item }}
+      changed_when: true
+      loop: "{{ discovered_passwdlck_user_future.stdout_lines }}"