Lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_5/cis_5.3.2.x.yml

@@ -17,12 +17,13 @@
       when:
         - rhel9cis_authselect_custom_profile_name not in prelim_authselect_current_profile.stdout or
           prelim_authselect_current_profile.stdout is not defined
-      ansible.builtin.shell: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
+      ansible.builtin.command: "/usr/bin/authselect create-profile {{ rhel9cis_authselect_custom_profile_name }} -b {{ rhel9cis_authselect_default_profile_to_copy }}"
+      changed_when: false
       args:
         creates: "/etc/authselect/custom/{{ rhel9cis_authselect_custom_profile_name }}"
 
     - name: "5.3.2.1 | AUDIT | Ensure active authselect profile includes pam modules | get profile features"
-      ansible.builtin.shell: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
+      ansible.builtin.command: "/usr/bin/authselect list-features custom/{{ rhel9cis_authselect_custom_profile_name }}"
       changed_when: false
       register: discovered_authselect_profile_features
 
@@ -37,7 +38,8 @@
         - password
 
     - name: "5.3.2.1 | PATCH | Ensure active authselect profile includes pam modules | Backup and Add pam modules"
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %} --force --backup=rhel9cis-preremediate-{{ lookup('pipe', 'date +%Y-%m-%d-%H%M') }}"
+      changed_when: true
 
 - name: "5.3.2.2 | PATCH | Ensure pam_faillock module is enabled"
   when:
@@ -59,14 +61,16 @@
   notify: Authselect update
   block:
     - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Get current config"
-      ansible.builtin.shell: authselect current | grep faillock
+      ansible.builtin.shell: |
+        authselect current | grep faillock
       changed_when: false
       failed_when: discovered_authselect_current_faillock.rc not in [ 0, 1 ]
       register: discovered_authselect_current_faillock
 
     - name: "5.3.2.2 | AUDIT | Ensure pam_faillock module is enabled | Add feature if missing"
       when: discovered_authselect_current_faillock.rc != 0
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      changed_when: true
 
 - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled"
   when:
@@ -83,14 +87,16 @@
     - rule_5.3.2.3
   block:
     - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Get current config"
-      ansible.builtin.shell: authselect current | grep quality
+      ansible.builtin.shell: |
+        authselect current | grep quality
       changed_when: false
       failed_when: discovered_authselect_current_quality.rc not in [ 0, 1 ]
       register: discovered_authselect_current_quality
 
-    - name: "5.3.2.3 | AUDIT | Ensure pam_pwquality module is enabled | Add feature if missing"
+    - name: "5.3.2.3 | PATCH | Ensure pam_pwquality module is enabled | Add feature if missing"
       when: discovered_authselect_current_quality.rc != 0
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      changed_when: true
       notify: Authselect update
 
 - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled"
@@ -108,14 +114,16 @@
     - rule_5.3.2.4
   block:
     - name: "5.3.2.4 | AUDIT | Ensure pam_pwhistory module is enabled | Get current config"
-      ansible.builtin.shell: authselect current | grep pwhistory
+      ansible.builtin.shell: |
+        authselect current | grep pwhistory
       changed_when: false
       failed_when: discovered_authselect_current_history.rc not in [ 0, 1 ]
       register: discovered_authselect_current_history
 
     - name: "5.3.2.4 | PATCH | Ensure pam_pwhistory module is enabled | enable feature"
       when: discovered_authselect_current_history.rc != 0
-      ansible.builtin.shell: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      ansible.builtin.command: "/usr/bin/authselect select custom/{{ rhel9cis_authselect_custom_profile_name }}{% if rhel9cis_rule_5_3_2_2 %} with-faillock{% endif %}{% if rhel9cis_rule_5_3_2_3 %} with-pwquality{% endif %}{% if rhel9cis_rule_5_3_2_4 %} with-pwhistory{% endif %}{% if rhel9cis_rule_5_3_3_4_1 %} without-nullok{% endif %}"
+      changed_when: true
       notify: Authselect update
 
 - name: "5.3.2.5 | PATCH | Ensure pam_unix module is enabled"
@@ -146,8 +154,8 @@
         regexp: "{{ item.regexp }}"
         line: "{{ item.line }}"
         backrefs: true
-        insertafter: "{{ item.after | default (omit) }}"
-        insertbefore: "{{ item.before | default (omit) }}"
+        insertafter: "{{ item.after | default(omit) }}"
+        insertbefore: "{{ item.before | default(omit) }}"
         loop:
           - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', after: '^auth.*pam_faillock.*preauth' }
           - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }
@@ -160,8 +168,8 @@
         line: "{{ item.line }}"
         regexp: "{{ item.regexp }}"
         backrefs: true
-        insertafter: "{{ item.after | default (omit) }}"
-        insertbefore: "{{ item.before | default (omit) }}"
+        insertafter: "{{ item.after | default(omit) }}"
+        insertbefore: "{{ item.before | default(omit) }}"
         loop:
           - { regexp: '^(auth\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\2', after: '^auth.*pam_faillock.*preauth' }
           - { regexp: '^(password\s+)sufficient(\s+pam_unix.so.*)(.*)', line: '\1sufficient\2\3', before: '^password.*pam_deny.so' }