Lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-11 11:49:02 +00:00 · 2024-12-11 11:49:02 +00:00 · 88ac5c3d65
commit 88ac5c3d65
parent fcf9eb674f
19 changed files with 127 additions and 84 deletions
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@ -45,7 +45,8 @@
          rhel9cis_aide_db_recreate
      block:
        - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB"
-          ansible.builtin.shell: "{{ aide_initiate_command }}"
+          ansible.builtin.command: "{{ aide_initiate_command }}"
+          changed_when: true

        - name: "6.1.1 | PATCH | Ensure AIDE is installed | Build AIDE DB | Wait for file before continuing"
          ansible.builtin.wait_for:
@ -56,6 +57,7 @@
            src: /var/lib/aide/aide.db.new.gz
            dest: /var/lib/aide/aide.db.gz
            remote_src: true
+            mode: 'ug-wx,o-rwx'

 - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked"
  when:
@ -85,15 +87,15 @@

    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
      when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
        name: aidecheck.service
        enabled: true

    - name: "6.1.2 | PATCH | Ensure filesystem integrity is regularly checked | aide service"
      when: rhel9cis_aide_scan == "timer"
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
        name: aidecheck.timer
-        state: running
+        state: started
        enabled: true

 - name: "6.1.3 | PATCH | Ensure cryptographic mechanisms are used to protect the integrity of audit tools"
--- a/tasks/section_6/cis_6.3.1.x.yml
+++ b/tasks/section_6/cis_6.3.1.x.yml
@ -1,8 +1,7 @@
 ---

 - name: "6.3.1.1 | PATCH | Ensure auditd is installed"
-  when:
-    - rhel9cis_rule_6_3_1_1
+  when: rhel9cis_rule_6_3_1_1
  tags:
    - level2-server
    - level2-workstation
@ -27,8 +26,7 @@
        state: present

 - name: "6.3.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
-  when:
-    - rhel9cis_rule_6_3_1_2
+  when: rhel9cis_rule_6_3_1_2
  tags:
    - level2-server
    - level2-workstation
@ -49,7 +47,8 @@
        - discovered_grubby_curr_value_audit_linux.stdout == '' or
          '0' in discovered_grubby_curr_value_audit_linux.stdout or
          'off' in discovered_grubby_curr_value_audit_linux.stdout|lower
-      ansible.builtin.shell: grubby --update-kernel=ALL --args="audit=1"
+      ansible.builtin.command: grubby --update-kernel=ALL --args="audit=1"
+      changed_when: true

 - name: "6.3.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
  when:
@ -81,17 +80,16 @@
        discovered_reset_backlog_limits: true

    - name: "6.3.1.3 | AUDIT | Check to see if any limits are too low"
-      when:
-        - (item | int < rhel9cis_audit_back_log_limit)
+      when: (item | int < rhel9cis_audit_back_log_limit)
      ansible.builtin.set_fact:
        discovered_reset_backlog_limits: true
      loop: "{{ discovered_grubby_curr_value_backlog_linux.stdout_lines }}"

    - name: "6.3.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Grubby update applied"
-      when:
-        - discovered_reset_backlog_limits is defined
-      ansible.builtin.shell:
+      when: discovered_reset_backlog_limits is defined
+      ansible.builtin.command:
        cmd: 'grubby --update-kernel=ALL --args="audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
+      changed_when: true

 - name: "6.3.1.4 | PATCH | Ensure auditd service is enabled and active"
  when: