added args warn for shell

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_5/cis_5.2.x.yml

@@ -334,7 +334,7 @@
 - name: "5.2.20 | L1 | PATCH | Ensure system-wide crypto policy is not over-ridden"
   shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
   args:
-      warn: no
+      warn: false
   notify: restart sshd
   when:
       - rhel9cis_rule_5_2_20

tasks/section_5/cis_5.3.x.yml

@@ -4,6 +4,8 @@
   block:
       - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Gather profiles"
         shell: 'authselect current | grep "Profile ID: custom/"'
+        args:
+            warn: false
         failed_when: false
         changed_when: false
         check_mode: no
@@ -18,7 +20,7 @@
       - name: "5.3.1 | L1 | PATCH | Create custom authselect profile | Create custom profiles"
         shell: authselect create-profile {{ rhel9cis_authselect['custom_profile_name'] }} -b {{ rhel9cis_authselect['default_file_to_copy'] }}
         args:
-            warn: no
+            warn: false
         when: rhel9cis_authselect_custom_profile_create
   when:
       - rhel9cis_rule_5_3_1
@@ -34,7 +36,7 @@
       - name: "5.3.2 | L1 | AUDIT | Select authselect profile | Gather profiles and enabled features"
         shell: "authselect current"
         args:
-            warn: no
+            warn: false
         failed_when: false
         changed_when: false
         check_mode: no
@@ -49,7 +51,7 @@
       - name: "5.3.2 | L1 | PATCH | Select authselect profile | Create custom profiles"
         shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} {{ rhel9cis_authselect['options'] }}"
         args:
-            warn: no
+            warn: false
         when: rhel9cis_authselect_custom_profile_select
   when:
       - rhel9cis_rule_5_3_2
@@ -64,6 +66,8 @@
   block:
       - name: "5.3.3 | L1 | AUDIT | Ensure authselect includes with-faillock | Gather profiles and enabled features"
         shell: "authselect current | grep with-faillock"
+        args:
+            warn: false
         failed_when: false
         changed_when: false
         check_mode: no
@@ -78,7 +82,7 @@
       - name: "5.3.3 | L1 | PATCH | Ensure authselect includes with-faillock | Create custom profiles"
         shell: "authselect select custom/{{ rhel9cis_authselect['custom_profile_name'] }} with-faillock"
         args:
-            warn: no
+            warn: false
         when: rhel9cis_authselect_custom_profile_select
   when:
       - rhel9cis_rule_5_3_3

tasks/section_5/cis_5.5.1.x.yml

@@ -46,6 +46,8 @@
   block:
       - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Check current settings"
         shell: useradd -D | grep INACTIVE={{ rhel9cis_inactivelock.lock_days }} | cut -f2 -d=
+        args:
+            warn: false
         changed_when: false
         failed_when: false
         check_mode: no
@@ -53,16 +55,22 @@
 
       - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
         shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
+        args:
+            warn: false
         when: rhel9cis_5_5_1_4_inactive_settings.stdout | length == 0
 
       - name: "5.5.1.4 | L1 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
         shell: 'egrep ^[^:]+:[^\!*] /etc/shadow | cut -d: -f1'
+        args:
+            warn: false
         check_mode: no
         register: rhel_09_5_5_1_4_audit
         changed_when: false
 
       - name: "5.5.1.4 | L1 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
         shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
+        args:
+            warn: false
         with_items:
             - "{{ rhel_09_5_5_1_4_audit.stdout_lines }}"
   when:
@@ -77,6 +85,8 @@
   block:
       - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get current date in Unix Time"
         shell: echo $(($(date --utc --date "$1" +%s)/86400))
+        args:
+            warn: false
         failed_when: false
         changed_when: false
         check_mode: no
@@ -84,6 +94,8 @@
 
       - name: "5.5.1.5 | L1 | AUDIT | Ensure all users last password change date is in the past | Get list of users with last changed pw date in the future"
         shell: "cat /etc/shadow | awk -F: '{if($3>{{ rhel9cis_5_5_1_5_currentut.stdout }})print$1}'"
+        args:
+            warn: false
         changed_when: false
         failed_when: false
         check_mode: no
@@ -103,6 +115,8 @@
 
       - name: "5.5.1.5 | L1 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
         shell: passwd --expire {{ item }}
+        args:
+            warn: false
         when:
             - rhel9cis_5_5_1_5_user_list | length > 0
             - rhel9cis_futurepwchgdate_autofix

tasks/section_5/cis_5.5.x.yml

@@ -64,6 +64,8 @@
 
 - name: "5.5.4 | L1 | PATCH | Ensure default group for the root account is GID 0"
   shell: usermod -g 0 root
+  args:
+      warn: false
   changed_when: false
   failed_when: false
   when:

tasks/section_5/cis_5.6.yml

@@ -10,6 +10,8 @@
 
       - name: "5.6 | L1 | AUDIT | Ensure root login is restricted to system console | Capture consoles"
         shell: cat /etc/securetty
+        args:
+            warn: false
         changed_when: false
         register: rhel_09_5_6_audit
         when: rhel9cis_securetty_check.stat.exists