lint and var renaming

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-11-04 18:39:01 +00:00 · 2024-11-04 18:39:01 +00:00 · 879d9c9a1b
commit 879d9c9a1b
parent fa13b06b1f
18 changed files with 84 additions and 86 deletions
--- a/tasks/section_1/cis_1.2.1.x.yml
+++ b/tasks/section_1/cis_1.2.1.x.yml
@ -18,19 +18,19 @@
      ansible.builtin.shell: "rpm -qa | grep {{ os_gpg_key_pubkey_name }}"
      changed_when: false
      failed_when: false
-      register: os_installed_pub_keys
+      register: discovered_os_installed_pub_keys

    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | Query found keys"
      ansible.builtin.shell: 'rpm -q --queryformat "%{PACKAGER} %{VERSION}\\n" {{ os_gpg_key_pubkey_name }} | grep "{{ os_gpg_key_pubkey_content }}"'
      changed_when: false
      failed_when: false
-      register: os_gpg_key_check
-      when: os_installed_pub_keys.rc == 0
+      register: discovered_os_gpg_key_check
+      when: discovered_os_installed_pub_keys.rc == 0

    - name: "1.2.1.1 | AUDIT | Ensure GPG keys are configured | expected keys fail"
      when:
-        - os_installed_pub_keys.rc == 1 or
-          os_gpg_key_check.rc == 1
+        - discovered_os_installed_pub_keys.rc == 1 or
+          discovered_os_gpg_key_check.rc == 1
      ansible.builtin.fail:
        msg: Installed GPG Keys do not meet expected values or expected keys are not installed

@ -48,14 +48,14 @@
      ansible.builtin.find:
        paths: /etc/yum.repos.d
        patterns: "*.repo"
-      register: yum_repos
+      register: discovered_yum_repos

    - name: "1.2.1.2 | PATCH | Ensure gpgcheck is globally activated | Update yum.repos"
      ansible.builtin.replace:
        name: "{{ item.path }}"
        regexp: "^gpgcheck=0"
        replace: "gpgcheck=1"
-      loop: "{{ yum_repos.files }}"
+      loop: "{{ discovered_yum_repos.files }}"
      loop_control:
        label: "{{ item.path }}"

@ -82,14 +82,14 @@
      ansible.builtin.find:
        paths: /etc/yum.repos.d
        patterns: "*.repo"
-      register: repo_files
+      register: discovered_repo_files

    - name: "1.2.1.3 | PATCH | Ensure repo_gpgcheck is globally activated | amend repo files"
      ansible.builtin.replace:
        path: "{{ item.path }}"
        regexp: '^repo_gpgcheck( |)=( |)0'
        replace: repo_gpgcheck=1
-      loop: "{{ repo_files.files }}"
+      loop: "{{ discovered_repo_files.files }}"
      loop_control:
        label: "{{ item.path }}"

@ -110,14 +110,14 @@
      ansible.builtin.shell: dnf repolist
      changed_when: false
      failed_when: false
-      register: dnf_configured
+      register: discovered_dnf_configured
      check_mode: false

    - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Display repo list"
      ansible.builtin.debug:
        msg:
          - "Warning!! Below are the configured repos. Please review and make sure all align with site policy"
-          - "{{ dnf_configured.stdout_lines }}"
+          - "{{ discovered_dnf_configured.stdout_lines }}"

    - name: "1.2.1.4 | AUDIT | Ensure package manager repositories are configured | Warn Count"
      ansible.builtin.import_tasks:
--- a/tasks/section_1/cis_1.3.1.x.yml
+++ b/tasks/section_1/cis_1.3.1.x.yml
@ -34,7 +34,6 @@
  loop:
    - selinux=0
    - enforcing=0
-  register: selinux_grub_patch
  ignore_errors: true  # noqa ignore-errors
  notify: Grub2cfg

@ -108,17 +107,17 @@
  block:
    - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Find the unconfined services"
      ansible.builtin.shell: ps -eZ | grep unconfined_service_t | egrep -vw "tr|ps|egrep|bash|awk" | tr ':' ' ' | awk '{ print $NF }'
-      register: rhelcis_1_3_1_6_unconf_services
+      register: discovered_unconf_services
      failed_when: false
      changed_when: false

    - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | Message on unconfined services"
-      when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0
+      when: discovered_unconf_services.stdout | length > 0
      ansible.builtin.debug:
-        msg: "Warning!! You have unconfined services: {{ rhelcis_1_3_1_6_unconf_services.stdout_lines }}"
+        msg: "Warning!! You have unconfined services: {{ discovered_unconf_services.stdout_lines }}"

    - name: "1.3.1.6 | AUDIT | Ensure no unconfined services exist | warning count"
-      when: rhelcis_1_3_1_6_unconf_services.stdout | length > 0
+      when: discovered_unconf_services.stdout | length > 0
      ansible.builtin.import_tasks:
        file: warning_facts.yml

--- a/tasks/section_1/cis_1.6.x.yml
+++ b/tasks/section_1/cis_1.6.x.yml
@ -55,12 +55,12 @@
        owner: root
        group: root
        mode: '0640'
-      register: no_sha1_template
+      register: discovered_no_sha1_template

    - name: "1.6.3 | PATCH | Ensure system wide crypto policy disables sha1 hash and signature support | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SHA1' }}"
-      changed_when: no_sha1_template is defined
+      changed_when: discovered_no_sha1_template is changed  # noqa: no-handler
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -86,12 +86,12 @@
        owner: root
        group: root
        mode: '0640'
-      register: no_weakmac_template
+      register: discovered_no_weakmac_template

    - name: "1.6.4 | PATCH | Ensure system wide crypto policy disables macs less than 128 bits | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-WEAKMAC' }}"
-      changed_when: no_weakmac_template is defined
+      changed_when: discovered_no_weakmac_template is changed  # noqa: no-handler
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -116,12 +116,12 @@
        owner: root
        group: root
        mode: '0640'
-      register: no_sshcbc_template
+      register: discovered_no_sshcbc_template

    - name: "1.6.5 | PATCH | Ensure system wide crypto policy disables cbc for ssh | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHCBC' }}"
-      changed_when: no_sshcbc_template is defined
+      changed_when: discovered_no_sshcbc_template is changed  # noqa: no-handler
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -146,12 +146,12 @@
        owner: root
        group: root
        mode: '0640'
-      register: no_sshweakciphers_template
+      register: discovered_no_sshweakciphers_template

    - name: "1.6.6 | PATCH | Ensure system wide crypto policy disables chacha20-poly1305 for ssh | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKCIPHERS' }}"
-      changed_when: no_sshweakciphers_template is defined
+      changed_when: discovered_no_sshweakciphers_template is changed  # noqa: no-handler
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -176,12 +176,12 @@
        owner: root
        group: root
        mode: '0640'
-      register: no_sshetm_template
+      register: discovered_no_sshetm_template

    - name: "1.6.7 | PATCH | Ensure system wide crypto policy disables EtM for ssh | submodule to crypto policy modules"
      ansible.builtin.set_fact:
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHETM' }}"
-      changed_when: no_sshetm_template is defined
+      changed_when: discovered_no_sshetm_template is changed  # noqa: no-handler
      notify:
        - Update Crypto Policy
        - Set Crypto Policy