lint updates

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

handlers/main.yml

@@ -1,14 +1,13 @@
 ---
 # handlers file for RHEL9-CIS
 
-- name: reload sysctl
+- name: Reload sysctl
-  shell: sysctl --system
+  ansible.builtin.shell: sysctl --system
   when:
       - sysctl_updated.changed
 
-- name: sysctl flush ipv4 route table
+- name: Sysctl flush ipv4 route table
-  become: true
+  ansible.posix.sysctl:
-  sysctl:
       name: net.ipv4.route.flush
       value: '1'
       sysctl_set: true
@@ -16,12 +15,9 @@
   when:
       - flush_ipv4_route
       - not system_is_container
-  tags:
-      - skip_ansible_lint
 
-- name: sysctl flush ipv6 route table
+- name: Sysctl flush ipv6 route table
-  become: true
+  ansible.posix.sysctl:
-  sysctl:
       name: net.ipv6.route.flush
       value: '1'
       sysctl_set: true
@@ -29,92 +25,81 @@
       - flush_ipv6_route
       - not system_is_container
 
-- name: systemd restart tmp.mount
+- name: Systemd restart tmp.mount
-  become: true
+  ansible.builtin.systemd:
-  systemd:
       name: tmp.mount
-      daemon_reload: true
+      daemon_Reload: true
       enabled: true
       masked: false
-      state: reloaded
+      state: Reloaded
 
-- name: systemd restart var-tmp.mount
+- name: Remount tmp
-  become: true
+  ansible.posix.mount:
-  systemd:
+      path: /tmp
-      name: var-tmp.mount
+      state: remounted
-      daemon_reload: true
-      enabled: true
-      masked: false
-      state: reloaded
 
-- name: remount tmp
+- name: Restart firewalld
-  ansible.posix.mount: 
+  ansible.builtin.systemd:
-    path: /tmp
-    state: remounted
-
-- name: restart firewalld
-  service:
       name: firewalld
       state: restarted
 
-- name: restart sshd
+- name: Restart sshd
-  service:
+  ansible.builtin.systemd:
       name: sshd
       state: restarted
 
-- name: restart postfix
+- name: Restart postfix
-  service:
+  ansible.builtin.systemd:
       name: postfix
       state: restarted
 
-- name: reload dconf
+- name: Reload dconf
-  shell: dconf update
+  ansible.builtin.shell: dconf update
 
 - name: grub2cfg
-  shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
+  ansible.builtin.shell: "grub2-mkconfig -o /boot/grub2/grub.cfg"
   ignore_errors: true  # noqa ignore-errors
   tags:
       - skip_ansible_lint
 
-- name: restart rsyslog
+- name: Restart rsyslog
-  become: true
+  ansible.builtin.systemd:
-  service:
       name: rsyslog
       state: restarted
 
-- name: restart journald
+- name: Restart journald
-  service:
+  ansible.builtin.systemd:
       name: systemd-journald
       state: restarted
 
-- name: restart systemd_journal_upload
+- name: Restart systemd_journal_upload
-  service:
+  ansible.builtin.systemd:
       name: systemd-journal-upload
       state: restarted
 
-- name: systemd_daemon_reload
+- name: Systemd_daemon_Reload
-  systemd:
+  ansible.builtin.systemd:
       daemon-reload: true
 
 ## Auditd tasks note order for handlers to run
 
-- name: auditd_immutable_check
+- name: Auditd_immutable_check
-  shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
+  ansible.builtin.shell: grep -c "^-e 2" /etc/audit/rules.d/99_auditd.rules
   changed_when: false
   register: auditd_immutable_check
 
-- name: audit_immutable_fact
+- name: Audit_immutable_fact
-  debug:
+  ansible.builtin.debug:
       msg: "Reboot required for auditd to apply new rules as immutable set"
   notify: change_requires_reboot
   when:
       - auditd_immutable_check.stdout == '1'
 
-- name: restart auditd
+- name: Restart auditd
-  shell: service auditd restart
+  ansible.builtin.shell: service auditd restart
   tags:
       - skip_ansible_lint
 
-- name: change_requires_reboot
+- name: Change_requires_reboot
-  set_fact:
+  ansible.builtin.set_fact:
       change_requires_reboot: true

site.yml

@@ -1,4 +1,5 @@
 ---
+
 - hosts: all
   become: true
   roles:

tasks/LE_audit_setup.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Download audit binary
-  get_url:
+  ansible.builtin.get_url:
       url: "{{ goss_url }}"
       dest: "{{ audit_bin }}"
       owner: root
@@ -11,8 +11,8 @@
   when:
       - get_goss_file == 'download'
 
-- name: copy audit binary
+- name: Copy audit binary
-  copy:
+  ansible.builtin.copy:
       src:
       dest: "{{ audit_bin }}"
       mode: 0555
@@ -21,8 +21,8 @@
   when:
       - get_goss_file == 'copy'
 
-- name: install git if not present
+- name: Install git if not present
-  package:
+  ansible.builtin.package:
       name: git
       state: present
   register: git_installed

tasks/auditd.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: POST | AUDITD | Apply auditd template will for section 4.1.3 - only required rules will be added
-  template:
+  ansible.builtin.template:
       src: audit/99_auditd.rules.j2
       dest: /etc/audit/rules.d/99_auditd.rules
       owner: root
@@ -9,18 +9,18 @@
       mode: 0600
   register: audit_rules_updated
   notify:
-      - auditd_immutable_check
+      - Auditd_immutable_check
-      - audit_immutable_fact
+      - Audit_immutable_fact
-      - restart auditd
+      - Restart auditd
 
 - name: POST | Set up auditd user logging exceptions
-  template:
+  ansible.builtin.template:
       src: audit/98_auditd_exception.rules.j2
       dest: /etc/audit/rules.d/98_auditd_exceptions.rules
       owner: root
       group: root
       mode: 0600
-  notify: restart auditd
+  notify: Restart auditd
   when:
       - allow_auditd_uid_user_exclusions
       - rhel9cis_auditd_uid_exclude | length > 0

tasks/check_prereqs.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: "PREREQ | If required install libselinux package to manage file changes."
-  package:
+  ansible.builtin.package:
       name: libselinux-python3
       state: present
   when:

tasks/main.yml

@@ -2,7 +2,7 @@
 # tasks file for RHEL9-CIS
 
 - name: Check OS version and family
-  assert:
+  ansible.builtin.assert:
       that: (ansible_distribution != 'CentOS' and ansible_os_family == 'RedHat' or ansible_os_family == "Rocky") and ansible_distribution_major_version is version_compare('9', '==')
       fail_msg: "This role can only be run against Supported OSs. {{ ansible_distribution }} {{ ansible_distribution_major_version }} is not supported."
       success_msg: "This role is running against a supported OS {{ ansible_distribution }} {{ ansible_distribution_major_version }}"
@@ -13,7 +13,7 @@
       - always
 
 - name: Check ansible version
-  assert:
+  ansible.builtin.assert:
       that: ansible_version.full is version_compare(min_ansible_version, '>=')
       fail_msg: "You must use Ansible {{ min_ansible_version }} or greater"
       success_msg: "This role is running a supported version of ansible {{ ansible_version.full }} >= {{ min_ansible_version }}"
@@ -23,14 +23,14 @@
 - name: "Check password set for {{ ansible_user }}"
   block:
       - name: Capture current password state of "{{ ansible_user }}"
-        shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
+        ansible.builtin.shell: "grep {{ ansible_user }} /etc/shadow | awk -F: '{print $2}'"
         changed_when: false
         failed_when: false
         check_mode: false
         register: ansible_user_password_set
 
       - name: "Assert that password set for {{ ansible_user }} and account not locked"
-        assert:
+        ansible.builtin.assert:
             that: ansible_user_password_set.stdout | length != 0 and ansible_user_password_set.stdout != "!!"
             fail_msg: "You have {{ sudo_password_rule }} enabled but the user = {{ ansible_user }} has no password set - It can break access"
             success_msg: "You a password set for the {{ ansible_user }}"
@@ -45,15 +45,15 @@
 - name: Setup rules if container
   block:
       - name: Discover and set container variable if required
-        set_fact:
+        ansible.builtin.set_fact:
             system_is_container: true
 
       - name: Load variable for container
-        include_vars:
+        ansible.builtin.include_vars:
             file: "{{ container_vars_file }}"
 
-      - name: output if discovered is a container
+      - name: Output if discovered is a container
-        debug:
+        ansible.builtin.debug:
             msg: system has been discovered as a container
         when:
             - system_is_container
@@ -65,13 +65,13 @@
       - always
 
 - name: Check crypto-policy input
-  assert:
+  ansible.builtin.assert:
       that: rhel9cis_crypto_policy in rhel9cis_allowed_crypto_policies
       fail_msg: "Crypto policy is not a permitted version"
       success_msg: "Crypto policy is a permitted version"
 
 - name: Check rhel9cis_bootloader_password_hash variable has been changed
-  assert:
+  ansible.builtin.assert:
       that: rhel9cis_bootloader_password_hash.find('grub.pbkdf2.sha512') != -1 and rhel9cis_bootloader_password_hash != 'grub.pbkdf2.sha512.changethispassword'
       msg: "This role will not be able to run single user password commands as rhel9cis_bootloader_password_hash variable has not been set correctly"
   when:
@@ -80,10 +80,10 @@
   tags:
       - always
 
-- name: "check sugroup exists if used"
+- name: Check sugroup exists if used
   block:
       - name: "Check su group exists if defined"
-        shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
+        ansible.builtin.shell: grep -w "{{ rhel9cis_sugroup }}" /etc/group
         register: sugroup_exists
         changed_when: false
         failed_when: sugroup_exists.rc >= 2
@@ -91,7 +91,7 @@
             - skip_ansible_lint
 
       - name: Check sugroup if defined exists before continuing
-        assert:
+        ansible.builtin.assert:
             that: sugroup_exists.rc == 0
             msg: "The variable rhel9cis_sugroup is defined but does not exist please rectify"
   when:
@@ -101,35 +101,35 @@
       - rule_5.7
 
 - name: Gather the package facts
-  package_facts:
+  ansible.builtin.package_facts:
       manager: auto
   tags:
       - always
 
 - name: Include OS specific variables
-  include_vars: "{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: "{{ ansible_distribution }}.yml"
   tags:
       - always
 
 - name: Include preliminary steps
-  import_tasks: prelim.yml
+  ansible.builtin.import_tasks: prelim.yml
   tags:
       - prelim_tasks
       - always
 
 - name: run pre_remediation audit
-  include_tasks: pre_remediation_audit.yml
+  ansible.builtin.include_tasks: pre_remediation_audit.yml
   when:
       - run_audit
 
 - name: Gather the package facts after prelim
-  package_facts:
+  ansible.builtin.package_facts:
       manager: auto
   tags:
       - always
 
 - name: capture /etc/password variables
-  include_tasks: parse_etc_password.yml
+  ansible.builtin.include_tasks: parse_etc_password.yml
   when:
       - rhel9cis_section6
   tags:
@@ -142,67 +142,67 @@
       - rhel9cis_section6
 
 - name: run Section 1 tasks
-  import_tasks: section_1/main.yml
+  ansible.builtin.import_tasks: section_1/main.yml
   when: rhel9cis_section1
   tags:
       - rhel9cis_section1
 
 - name: run Section 2 tasks
-  import_tasks: section_2/main.yml
+  ansible.builtin.import_tasks: section_2/main.yml
   when: rhel9cis_section2
   tags:
       - rhel9cis_section2
 
 - name: run Section 3 tasks
-  import_tasks: section_3/main.yml
+  ansible.builtin.import_tasks: section_3/main.yml
   when: rhel9cis_section3
   tags:
       - rhel9cis_section3
 
 - name: run Section 4 tasks
-  import_tasks: section_4/main.yml
+  ansible.builtin.import_tasks: section_4/main.yml
   when: rhel9cis_section4
   tags:
       - rhel9cis_section4
 
 - name: run Section 5 tasks
-  import_tasks: section_5/main.yml
+  ansible.builtin.import_tasks: section_5/main.yml
   when: rhel9cis_section5
   tags:
       - rhel9cis_section5
 
 - name: run Section 6 tasks
-  import_tasks: section_6/main.yml
+  ansible.builtin.import_tasks: section_6/main.yml
   when: rhel9cis_section6
   tags:
       - rhel9cis_section6
 
 - name: run auditd logic
-  import_tasks: auditd.yml
+  ansible.builtin.import_tasks: auditd.yml
   when:
       - update_audit_template
   tags:
       - always
 
 - name: run post remediation tasks
-  import_tasks: post.yml
+  ansible.builtin.import_tasks: post.yml
   tags:
       - post_tasks
       - always
 
 - name: run post_remediation audit
-  import_tasks: post_remediation_audit.yml
+  ansible.builtin.import_tasks: post_remediation_audit.yml
   when:
       - run_audit
 
 - name: Show Audit Summary
-  debug:
+  ansible.builtin.debug:
       msg: "{{ audit_results.split('\n') }}"
   when:
       - run_audit
 
 - name: If Warnings found Output count and control IDs affected
-  debug:
+  ansible.builtin.debug:
       msg: "You have {{ warn_count }} Warning(s) that require investigating that are related to the following benchmark ID(s) {{ warn_control_list }}"
   when: warn_count != 0
   tags:

tasks/parse_etc_password.yml

@@ -3,13 +3,13 @@
 - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
   block:
       - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
-        shell: cat /etc/passwd
+        ansible.builtin.shell: cat /etc/passwd
         changed_when: false
         check_mode: false
         register: rhel9cis_passwd_file_audit
 
       - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Split passwd entries"
-        set_fact:
+        ansible.builtin.set_fact:
             rhel9cis_passwd: "{{ rhel9cis_passwd_file_audit.stdout_lines | map('regex_replace', ld_passwd_regex, ld_passwd_yaml) | map('from_yaml') | list }}"
         with_items: "{{ rhel9cis_passwd_file_audit.stdout_lines }}"
         vars:

tasks/post.yml

@@ -2,25 +2,25 @@
 # Post tasks
 
 - name: Perform DNF package cleanup
-  dnf:
+  ansible.builtin.package:
       autoremove: true
   changed_when: false
 
 - name: Gather the package facts after remediation
-  package_facts:
+  ansible.builtin.package_facts:
       manager: auto
   tags:
       - always
 
-- name: update sysctl
+- name: Update sysctl
-  template:
+  ansible.builtin.template:
       src: "etc/sysctl.d/{{ item }}.j2"
       dest: "/etc/sysctl.d/{{ item }}"
       owner: root
       group: root
       mode: 0600
   register: sysctl_updated
-  notify: reload sysctl
+  notify: Reload sysctl
   with_items:
       - 60-kernel_sysctl.conf
       - 60-disable_ipv6.conf
@@ -31,29 +31,29 @@
       - not system_is_container
       - "'procps-ng' in ansible_facts.packages"
 
-- name: flush handlers
+- name: Flush handlers
-  meta: flush_handlers
+  ansible.builtin.meta: flush_handlers
 
 - name: POST | reboot system if changes require it and not skipped
   block:
       - name: POST | Reboot system if changes require it and not skipped
-        reboot:
+        ansible.builtin.reboot:
         when:
-            - change_requires_reboot
+            - Change_requires_reboot
             - not skip_reboot
 
       - name: POST | Warning a reboot required but skip option set
-        debug:
+        ansible.builtin.debug:
             msg: "Warning!! changes have been made that require a reboot to be implemented but skip reboot was set - Can affect compliance check results"
         changed_when: true
         when:
-            - change_requires_reboot
+            - Change_requires_reboot
             - skip_reboot
 
       - name: "POST | Warning a reboot required but skip option set | warning count"
         ansible.builtin.import_tasks: warning_facts.yml
         when:
-            - change_requires_reboot
+            - Change_requires_reboot
             - skip_reboot
   vars:
       warn_control_id: Reboot_required

tasks/post_remediation_audit.yml

@@ -1,13 +1,13 @@
 ---
 
 - name: "Post Audit | Run post_remediation {{ benchmark }} audit"
-  shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ post_audit_outfile }} -g {{ group_names }}"
   environment: "{{ audit_run_script_environment | default({}) }}"
   changed_when: audit_run_post_remediation.rc == 0
   register: audit_run_post_remediation
 
 - name: Post Audit | ensure audit files readable by users
-  file:
+  ansible.builtin.file:
       path: "{{ item }}"
       mode: 0644
       state: file
@@ -17,13 +17,13 @@
 
 - name: Post Audit | Capture audit data if json format
   block:
-      - name: "capture data {{ post_audit_outfile }}"
+      - name: "Capture data {{ post_audit_outfile }}"
-        shell: "cat {{ post_audit_outfile }}"
+        ansible.builtin.shell: "cat {{ post_audit_outfile }}"
         register: post_audit
         changed_when: false
 
       - name: Capture post-audit result
-        set_fact:
+        ansible.builtin.set_fact:
             post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
         vars:
             summary: 'summary."summary-line"'
@@ -33,12 +33,12 @@
 - name: Post Audit | Capture audit data if documentation format
   block:
       - name: "Post Audit | capture data {{ post_audit_outfile }}"
-        shell: "tail -2 {{ post_audit_outfile }}"
+        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
         register: post_audit
         changed_when: false
 
       - name: Post Audit | Capture post-audit result
-        set_fact:
+        ansible.builtin.set_fact:
             post_audit_summary: "{{ post_audit.stdout_lines }}"
   when:
       - audit_format == "documentation"

tasks/pre_remediation_audit.yml

@@ -1,20 +1,20 @@
 ---
 
 - name: Pre Audit | Setup the audit
-  include_tasks: LE_audit_setup.yml
+  ansible.builtin.include_tasks: LE_audit_setup.yml
   when:
   - setup_audit
   tags:
   - setup_audit
 
 - name: "Pre Audit | Ensure {{ audit_conf_dir }} exists"
-  file:
+  ansible.builtin.file:
       path: "{{ audit_conf_dir }}"
       state: directory
       mode: '0755'
 
 - name: Pre Audit | retrieve audit content files from git
-  git:
+  ansible.builtin.git:
       repo: "{{ audit_file_git }}"
       dest: "{{ audit_conf_dir }}"
       version: "{{ audit_git_version }}"
@@ -22,7 +22,7 @@
   - audit_content == 'git'
 
 - name: Pre Audit | copy to audit content files to server
-  copy:
+  ansible.builtin.copy:
       src: "{{ audit_local_copy }}"
       dest: "{{ audit_conf_dir }}"
       mode: 0644
@@ -30,7 +30,7 @@
   - audit_content == 'copy'
 
 - name: Pre Audit | get audit content from url
-  get_url:
+  ansible.builtin.get_url:
       url: "{{ audit_files_url }}"
       dest: "{{ audit_conf_dir }}"
       owner: root
@@ -42,12 +42,12 @@
 - name: Pre Audit | Check Goss is available
   block:
   - name: Pre Audit | Check for goss file
-    stat:
+    ansible.builtin.stat:
         path: "{{ audit_bin }}"
     register: goss_available
 
   - name: Pre Audit | Alert if goss not available
-    assert:
+    ansible.builtin.assert:
         that: goss_available.stat.exists
         fail_msg: "Audit binary file {{ audit_bin }} does not exist"
         success_msg: "Audit binary file {{ audit_bin }} exists"
@@ -55,14 +55,14 @@
   - run_audit
 
 - name: "Pre Audit | Check whether machine is UEFI-based"
-  stat:
+  ansible.builtin.stat:
       path: /sys/firmware/efi
   register: rhel9_efi_boot
   tags:
   - goss_template
 
 - name: Pre Audit | Copy ansible default vars values to test audit
-  template:
+  ansible.builtin.template:
       src: ansible_vars_goss.yml.j2
       dest: "{{ audit_vars_path }}"
       mode: 0600
@@ -72,7 +72,7 @@
   - goss_template
 
 - name: "Pre Audit | Run pre_remediation {{ benchmark }} audit"
-  shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
+  ansible.builtin.shell: "{{ audit_conf_dir }}/run_audit.sh -v {{ audit_vars_path }} -o {{ pre_audit_outfile }} -g {{ group_names }}"
   environment: "{{ audit_run_script_environment | default({}) }}"
   changed_when: audit_run_pre_remediation.rc == 0
   register: audit_run_pre_remediation
@@ -80,12 +80,12 @@
 - name: Pre Audit | Capture audit data if json format
   block:
   - name: "Pre Audit | capture data {{ pre_audit_outfile }}"
-    shell: "cat {{ pre_audit_outfile }}"
+    ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
     register: pre_audit
     changed_when: false
 
   - name: Pre Audit | Capture pre-audit result
-    set_fact:
+    ansible.builtin.set_fact:
         pre_audit_summary: "{{ pre_audit.stdout | from_json | json_query(summary) }}"
     vars:
         summary: 'summary."summary-line"'
@@ -95,12 +95,12 @@
 - name: Pre Audit | Capture audit data if documentation format
   block:
   - name: "Pre Audit | capture data {{ pre_audit_outfile }}"
-    shell: "tail -2 {{ pre_audit_outfile }}"
+    ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
     register: pre_audit
     changed_when: false
 
   - name: Pre Audit | Capture pre-audit result
-    set_fact:
+    ansible.builtin.set_fact:
         pre_audit_summary: "{{ pre_audit.stdout_lines }}"
   when:
   - audit_format == "documentation"

tasks/prelim.yml

@@ -3,7 +3,7 @@
 # Preliminary tasks that should always be run
 # List users in order to look files inside each home directory
 - name: "PRELIM | List users accounts"
-  shell: "awk -F: '{print $1}' /etc/passwd"
+  ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
   changed_when: false
   check_mode: false
   register: users
@@ -13,7 +13,7 @@
       - users
 
 - name: "PRELIM | Gather accounts with empty password fields"
-  shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
+  ansible.builtin.shell: "cat /etc/shadow | awk -F: '($2 == \"\" ) {j++;print $1; } END {exit j}'"
   changed_when: false
   check_mode: false
   register: empty_password_accounts
@@ -23,7 +23,7 @@
       - passwords
 
 - name: "PRELIM | Gather UID 0 accounts other than root"
-  shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
+  ansible.builtin.shell: "cat /etc/passwd | awk -F: '($3 == 0 && $1 != \"root\") {i++;print $1 } END {exit i}'"
   changed_when: false
   check_mode: false
   register: rhel9cis_uid_zero_accounts_except_root
@@ -36,14 +36,14 @@
 - name: "PRELIM | Setup crypto-policy"
   block:
       - name: "PRELIM | Install crypto-policies"
-        dnf:
+        ansible.builtin.package:
             name:
                 - crypto-policies
                 - crypto-policies-scripts
             state: present
 
       - name: "PRELIM | Gather system-wide crypto-policy"
-        shell: update-crypto-policies --show
+        ansible.builtin.shell: update-crypto-policies --show
         changed_when: false
         check_mode: false
         register: system_wide_crypto_policy
@@ -56,7 +56,7 @@
       - crypto
 
 - name: "PRELIM | if systemd coredump"
-  stat:
+  ansible.builtin.stat:
       path: /etc/systemd/coredump.conf
   register: systemd_coredump
   when:
@@ -68,14 +68,14 @@
       - systemd
 
 - name: "PRELIM | Section 1.1 | Create list of mount points"
-  set_fact:
+  ansible.builtin.set_fact:
       mount_names: "{{ ansible_mounts | map(attribute='mount') | list }}"
   tags:
       - level1-server
       - level1-workstation
 
 - name: "PRELIM | Ensure python3-libselinux is installed"
-  package:
+  ansible.builtin.package:
       name: python3-libselinux
       state: present
   when:
@@ -84,23 +84,23 @@
 - name: "PRELIM | Set facts based on boot type"
   block:
       - name: "PRELIM | Check whether machine is UEFI-based"
-        stat:
+        ansible.builtin.stat:
             path: /sys/firmware/efi
         register: rhel_09_efi_boot
 
       - name: "PRELIM | AUDIT | set legacy boot and grub path | Bios"
-        set_fact:
+        ansible.builtin.set_fact:
             rhel9cis_legacy_boot: true
             grub2_path: /etc/grub2.cfg
         when: not rhel_09_efi_boot.stat.exists
 
       - name: "PRELIM | set grub fact | UEFI"
-        set_fact:
+        ansible.builtin.set_fact:
             grub2_path: /etc/grub2-efi.cfg
         when: rhel_09_efi_boot.stat.exists
 
 - name: "PRELIM | Section 4.1 | Configure System Accounting (auditd)"
-  package:
+  ansible.builtin.package:
       name: audit
       state: present
   become: true
@@ -135,7 +135,7 @@
       - rule_4.1.4.7
 
 - name: "PRELIM | Section 5.1 | Configure cron"
-  package:
+  ansible.builtin.package:
       name: cronie
       state: present
   become: true
@@ -149,7 +149,7 @@
       - cron
 
 - name: "PRELIM | Install authconfig"
-  package:
+  ansible.builtin.package:
       name: authconfig
       state: present
   become: true
@@ -170,7 +170,7 @@
       - auditd
 
 - name: "PRELIM | 5.3.4 | Find all sudoers files."
-  command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
+  ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
   changed_when: false
   failed_when: false
   check_mode: false
@@ -183,7 +183,7 @@
       - rule_5.3.5
 
 - name: "PRELIM | Check for rhnsd service"
-  shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
+  ansible.builtin.shell: "systemctl show rhnsd | grep LoadState | cut -d = -f 2"
   changed_when: false
   check_mode: false
   become: true
@@ -198,28 +198,28 @@
 - name: "PRELIM | AUDIT | Discover Interactive UID MIN and MIN from logins.def"
   block:
       - name: "PRELIM | AUDIT | Capture UID_MIN information from logins.def"
-        shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
+        ansible.builtin.shell: grep -w "^UID_MIN" /etc/login.defs | awk '{print $NF}'
         changed_when: false
         register: uid_min_id
 
       - name: "PRELIM | AUDIT | Capture UID_MAX information from logins.def"
-        shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
+        ansible.builtin.shell: grep -w "^UID_MAX" /etc/login.defs | awk '{print $NF}'
         changed_when: false
         register: uid_max_id
 
       - name: "PRELIM | AUDIT | Capture GID_MIN information from logins.def"
-        shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
+        ansible.builtin.shell: grep -w "^GID_MIN" /etc/login.defs | awk '{print $NF}'
         changed_when: false
         register: gid_min_id
 
       - name: "PRELIM | AUDIT | set_facts for interactive uid/gid"
-        set_fact:
+        ansible.builtin.set_fact:
             min_int_uid: "{{ uid_min_id.stdout }}"
             max_int_uid: "{{ uid_max_id.stdout }}"
             min_int_gid: "{{ gid_min_id.stdout }}"
 
 - name: Output of uid findings
-  debug:
+  ansible.builtin.debug:
       msg: "{{ min_int_uid }} {{ max_int_uid }}"
 
   when:

tasks/section_1/cis_1.1.2.x.yml

@@ -32,7 +32,7 @@
       fstype: "{{ item.fstype }}"
       state: present
       opts: defaults,{% if rhel9cis_rule_1_1_2_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_2_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_2_4 %}nosuid{% endif %}
-  notify: remount tmp
+  notify: Remount tmp
   with_items:
       - "{{ ansible_mounts }}"
   loop_control:
@@ -64,7 +64,7 @@
       owner: root
       group: root
       mode: 0644
-  notify: systemd restart tmp.mount
+  notify: Systemd restart tmp.mount
   when:
       - rhel9cis_tmp_svc
       - rhel9cis_rule_1_1_2_1 or

tasks/section_1/cis_1.1.3.x.yml

@@ -35,7 +35,7 @@
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - var_mount_present is defined
       - item.mount == "/var"

tasks/section_1/cis_1.1.4.x.yml

@@ -37,7 +37,7 @@
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - var_tmp_mount_present is defined
       - item.mount == "/var/tmp"

tasks/section_1/cis_1.1.5.x.yml

@@ -37,7 +37,7 @@
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - var_log_mount_present is defined
       - item.mount == "/var/log"

tasks/section_1/cis_1.1.6.x.yml

@@ -10,8 +10,8 @@
         ansible.builtin.import_tasks: warning_facts.yml
 
   vars:
-       warn_control_id: '1.1.6.1'
+      warn_control_id: '1.1.6.1'
-       required_mount: '/var/log/audit'
+      required_mount: '/var/log/audit'
   when:
       - required_mount not in mount_names
       - rhel9cis_rule_1_1_6_1
@@ -36,7 +36,7 @@
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - var_log_audit_mount_present is defined
       - item.mount == "/var/log/audit"

tasks/section_1/cis_1.1.7.x.yml

@@ -36,7 +36,7 @@
       - "{{ ansible_mounts }}"
   loop_control:
       label: "{{ item.device }}"
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - home_mount_present is defined
       - item.mount == "/home"

tasks/section_1/cis_1.1.8.x.yml

@@ -34,7 +34,7 @@
       fstype: tmpfs
       state: mounted
       opts: defaults,{% if rhel9cis_rule_1_1_8_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_8_3 %}noexec,{% endif %}{% if rhel9cis_rule_1_1_8_4 %}nosuid{% endif %}
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - rhel9cis_rule_1_1_8_2 or
         rhel9cis_rule_1_1_8_3 or

tasks/section_1/cis_1.10.yml

@@ -4,7 +4,7 @@
   ansible.builtin.shell: |
       update-crypto-policies --set "{{ rhel9cis_crypto_policy }}"
       update-crypto-policies
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - rhel9cis_rule_1_10
       - system_wide_crypto_policy['stdout'] == 'LEGACY'

tasks/section_1/cis_1.2.x.yml

@@ -68,7 +68,7 @@
 - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured"
   block:
       - name: "1.2.3 | AUDIT | Ensure package manager repositories are configured | Get repo list"
-        ansible.builtin.command: dnf repolist
+        ansible.builtin.shell: dnf repolist
         changed_when: false
         failed_when: false
         register: dnf_configured

tasks/section_1/cis_1.3.x.yml

@@ -8,7 +8,7 @@
             state: present
 
       - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
-        ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
+        ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
         changed_when: false
         failed_when: false
         async: 45

tasks/section_1/cis_1.8.x.yml

@@ -25,7 +25,7 @@
       owner: root
       group: root
       mode: 0644
-  notify: reload dconf
+  notify: Reload dconf
   with_items:
       - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
       - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
@@ -54,7 +54,7 @@
       owner: root
       group: root
       mode: 0644
-  notify: reload dconf
+  notify: Reload dconf
   with_items:
       - { file: '/etc/dconf/profile/gdm', regexp: 'user-db', line: 'user-db:user' }
       - { file: '/etc/dconf/profile/gdm', regexp: 'system-db', line: 'system-db:gdm' }
@@ -81,7 +81,7 @@
       owner: root
       group: root
       mode: 0644
-  notify: reload dconf
+  notify: Reload dconf
   with_items:
       - { regex: '\[org\/gnome\/desktop\/media-handling\]', line: '[org/gnome/desktop/media-handling]' }
       - { regex: 'automount=', line: 'automount=false' }

tasks/section_1/cis_1.9.yml

@@ -4,7 +4,7 @@
   ansible.builtin.package:
       name: "*"
       state: latest
-  notify: change_requires_reboot
+  notify: Change_requires_reboot
   when:
       - rhel9cis_rule_1_9
       - not system_is_ec2

tasks/section_2/cis_2.2.x.yml

@@ -228,7 +228,7 @@
   ansible.builtin.package:
       name: dnsmasq
       state: absent
-  notify: restart postfix
+  notify: Restart postfix
   when:
       - not rhel9cis_is_mail_server
       - "'dnsmasq' in ansible_facts.packages"
@@ -245,7 +245,7 @@
       path: /etc/postfix/main.cf
       regexp: "^(#)?inet_interfaces"
       line: "inet_interfaces = loopback-only"
-  notify: restart postfix
+  notify: Restart postfix
   when:
       - not rhel9cis_is_mail_server
       - "'postfix' in ansible_facts.packages"

tasks/section_3/cis_3.1.x.yml

@@ -27,21 +27,21 @@
 - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled"
   block:
       - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
-        ansible.builtin.command: rpm -q NetworkManager
+        ansible.builtin.shell: rpm -q NetworkManager
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel_08_nmcli_available
 
       - name: "3.1.2 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
-        ansible.builtin.command: nmcli radio wifi
+        ansible.builtin.shell: nmcli radio wifi
         register: rhel_08_wifi_enabled
         changed_when: rhel_08_wifi_enabled.stdout != "disabled"
         failed_when: false
         when: rhel_08_nmcli_available.rc == 0
 
       - name: "3.1.2 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
-        ansible.builtin.command: nmcli radio all off
+        ansible.builtin.shell: nmcli radio all off
         changed_when: false
         failed_when: false
         when: rhel_08_wifi_enabled is changed

tasks/section_4/cis_4.1.2.x.yml

@@ -5,7 +5,7 @@
       path: /etc/audit/auditd.conf
       regexp: "^max_log_file( |=)"
       line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
-  notify: restart auditd
+  notify: Restart auditd
   when:
       - rhel9cis_rule_4_1_2_1
   tags:
@@ -21,7 +21,7 @@
       path: /etc/audit/auditd.conf
       regexp: "^max_log_file_action"
       line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
-  notify: restart auditd
+  notify: Restart auditd
   when:
       - rhel9cis_rule_4_1_2_2
   tags:
@@ -36,7 +36,7 @@
       path: /etc/audit/auditd.conf
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
-  notify: restart auditd
+  notify: Restart auditd
   with_items:
       - { regexp: '^admin_space_left_action', line: 'admin_space_left_action = {{ rhel9cis_auditd.admin_space_left_action }}' }
       - { regexp: '^action_mail_acct', line: 'action_mail_acct = {{ rhel9cis_auditd.action_mail_acct }}' }
@@ -56,7 +56,7 @@
       regexp: "^{{ item }}( |=)"
       line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
   loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
-  notify: restart auditd
+  notify: Restart auditd
   when:
       - rhel9cis_auditd_extra_conf.keys() | length > 0
   tags:

tasks/section_4/cis_4.1.4.x.yml

@@ -64,9 +64,9 @@
   loop: "{{ auditd_conf_files.files }}"
   loop_control:
       label: "{{ item.path }}"
-  when: 
+  when:
-       - item.mode != '06(0|4)0'
+      - item.mode != '06(0|4)0'
-       - rhel9cis_rule_4_1_4_5
+      - rhel9cis_rule_4_1_4_5
   tags:
       - level2-server
       - level2-workstation

tasks/section_4/cis_4.2.1.x.yml

@@ -32,10 +32,10 @@
       path: /etc/systemd/journald.conf
       regexp: "^#ForwardToSyslog=|^ForwardToSyslog="
       line: ForwardToSyslog=yes
-  notify: restart rsyslog
+  notify: Restart rsyslog
   when:
       - rhel9cis_rule_4_2_1_3
-      - rhel9cis_preferred_log_capture == "rsyslog"
+      - rhel9cis_syslog == "rsyslog"
   tags:
       - level1-server
       - level1-workstation
@@ -47,7 +47,7 @@
       path: /etc/rsyslog.conf
       regexp: '^\$FileCreateMode'
       line: '$FileCreateMode 0640'
-  notify: restart rsyslog
+  notify: Restart rsyslog
   when:
       - rhel9cis_rule_4_2_1_4
   tags:
@@ -60,7 +60,7 @@
 - name: "4.2.1.5 | PATCH | Ensure logging is configured"
   block:
       - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
-        ansible.builtin.command: cat /etc/rsyslog.conf
+        ansible.builtin.shell: cat /etc/rsyslog.conf
         changed_when: false
         failed_when: false
         check_mode: false
@@ -84,7 +84,7 @@
               mail.warning                                            -/var/log/mail.warning
               mail.err                                                /var/log/mail.err
             insertafter: '# Log all the mail messages in one place.'
-        notify: restart rsyslog
+        notify: Restart rsyslog
         when: rhel9cis_rsyslog_ansiblemanaged
 
       - name: "4.2.1.5 | PATCH | Ensure logging is configured | news.crit log setting"
@@ -97,7 +97,7 @@
               news.crit                                               -/var/log/news/news.crit
               news.notice                                             -/var/log/news/news.crit
             insertafter: '# Save news errors of level crit and higher in a special file.'
-        notify: restart rsyslog
+        notify: Restart rsyslog
         when: rhel9cis_rsyslog_ansiblemanaged
 
       - name: "4.2.1.5 | PATCH | Ensure logging is configured | Misc. log setting"
@@ -111,7 +111,7 @@
               *.crit                                                   /var/log/warn
               *.*;mail.none;news.none                                  /var/log/messages
             insertafter: '#### RULES ####'
-        notify: restart rsyslog
+        notify: Restart rsyslog
         when: rhel9cis_rsyslog_ansiblemanaged
 
       - name: "4.2.1.5 | PATCH | Ensure logging is configured | Local log settings"
@@ -127,7 +127,7 @@
               local6,local7.*                                          -/var/log/localmessages
               *.emrg                                                    :omusrmsg:*
             insertafter: '#### RULES ####'
-        notify: restart rsyslog
+        notify: Restart rsyslog
 
       - name: "4.2.1.5 | PATCH | Ensure logging is configured | Auth Settings"
         ansible.builtin.blockinfile:
@@ -138,7 +138,7 @@
               # Private settings to meet CIS standards
               auth,authpriv.*                                           /var/log/secure
             insertafter: '#### RULES ####'
-        notify: restart rsyslog
+        notify: Restart rsyslog
 
       - name: "4.2.1.5 | PATCH | Ensure logging is configured | Cron Settings"
         ansible.builtin.blockinfile:
@@ -149,7 +149,7 @@
               # Cron settings to meet CIS standards
               cron.*                                                   /var/log/cron
             insertafter: '#### RULES ####'
-        notify: restart rsyslog
+        notify: Restart rsyslog
   when:
       - rhel9cis_rule_4_2_1_5
   tags:
@@ -171,7 +171,7 @@
   failed_when:
       - result is failed
       - result.rc != 257
-  notify: restart rsyslog
+  notify: Restart rsyslog
   when:
       - rhel9cis_rule_4_2_1_6
       - rhel9cis_remote_log_server
@@ -189,7 +189,7 @@
             path: /etc/rsyslog.conf
             regexp: '{{ item }}'
             replace: '#\1'
-        notify: restart rsyslog
+        notify: Restart rsyslog
         loop:
             - '^(\$ModLoad imtcp)'
             - '^(\$InputTCPServerRun)'
@@ -202,7 +202,7 @@
             path: /etc/rsyslog.conf
             regexp: '^#(.*{{ item }}.*)'
             replace: '\1'
-        notify: restart rsyslog
+        notify: Restart rsyslog
         loop:
             - 'ModLoad imtcp'
             - 'InputTCPServerRun'

tasks/section_4/cis_4.2.2.x.yml

@@ -19,7 +19,7 @@
       path: /etc/systemd/journal-upload.conf
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
-  notify: restart systemd_journal_upload
+  notify: Restart systemd_journal_upload
   with_items:
       - { regexp: 'URL=', line: 'URL={{ rhel9cis_journal_upload_url }}'}
       - { regexp: 'ServerKeyFile=', line: 'ServerKeyFile={{ rhel9cis_journal_upload_serverkeyfile }}'}
@@ -92,7 +92,7 @@
         ansible.builtin.import_tasks: warning_facts.yml
         when: "'static' not in rhel9cis_4_2_2_2_status.stdout"
   vars:
-     warn_control_id: '4.2.2.2'
+      warn_control_id: '4.2.2.2'
   when:
       - rhel9cis_rule_4_2_2_2
   tags:
@@ -108,7 +108,7 @@
       path: /etc/systemd/journald.conf
       regexp: "^#Compress=|^Compress="
       line: Compress=yes
-  notify: restart systemd_journal_upload
+  notify: Restart systemd_journal_upload
   when:
       - rhel9cis_rule_4_2_2_3
   tags:
@@ -124,7 +124,7 @@
       path: /etc/systemd/journald.conf
       regexp: "^#Storage=|^Storage="
       line: Storage=persistent
-  notify: restart systemd_journal_upload
+  notify: Restart systemd_journal_upload
   when:
       - rhel9cis_rule_4_2_2_4
   tags:
@@ -141,7 +141,7 @@
       path: /etc/systemd/journald.conf
       regexp: "^ForwardToSyslog="
       line: "#ForwardToSyslog=yes"
-  notify: restart systemd_journal_upload
+  notify: Restart systemd_journal_upload
   when:
       - rhel9cis_rule_4_2_2_5
   tags:
@@ -157,7 +157,7 @@
       path: /etc/systemd/journald.conf
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
-  notify: restart journald
+  notify: Restart systemd_journal_upload
   with_items:
       - { regexp: '^#SystemMaxUse=|^SystemMaxUse=', line: 'SystemMaxUse={{ rhel9cis_journald_systemmaxuse }}'}
       - { regexp: '^#SystemKeepFree=|^SystemKeepFree=', line: 'SystemKeepFree={{ rhel9cis_journald_systemkeepfree }}' }

tasks/section_5/cis_5.2.x.yml

@@ -84,7 +84,7 @@
             regexp: "^AllowUsers"
             line: "AllowUsers {{ rhel9cis_sshd['allowusers'] }}"
             validate: sshd -t -f %s
-        notify: restart sshd
+        notify: Restart sshd
         when: "rhel9cis_sshd['allowusers']|default('') | length > 0"
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for allowgroups"
@@ -93,7 +93,7 @@
             regexp: "^AllowGroups"
             line: "AllowGroups {{ rhel9cis_sshd['allowgroups'] }}"
             validate: sshd -t -f %s
-        notify: restart sshd
+        notify: Restart sshd
         when: "rhel9cis_sshd['allowgroups']|default('') | length > 0"
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denyusers"
@@ -102,7 +102,7 @@
             regexp: "^DenyUsers"
             line: "DenyUsers {{ rhel9cis_sshd['denyusers'] }}"
             validate: sshd -t -f %s
-        notify: restart sshd
+        notify: Restart sshd
         when: "rhel9cis_sshd['denyusers']|default('') | length > 0"
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add line to sshd_config for denygroups"
@@ -111,7 +111,7 @@
             regexp: "^DenyGroups"
             line: "DenyGroups {{ rhel9cis_sshd['denygroups'] }}"
             validate: sshd -t -f %s
-        notify: restart sshd
+        notify: Restart sshd
         when: "rhel9cis_sshd['denygroups']|default('') | length > 0"
   when:
       - rhel9cis_rule_5_2_4
@@ -267,7 +267,7 @@
 
       - name: "5.2.14 | PATCH | Ensure system-wide crypto policy is not over-ridden"
         ansible.builtin.shell: sed -ri "s/^\s*(CRYPTO_POLICY\s*=.*)$/# \1/" /etc/sysconfig/sshd
-        notify: restart sshd
+        notify: Restart sshd
         when: ssh_crypto_discovery.stdout | length > 0
   when:
       - rhel9cis_rule_5_2_14

tasks/section_5/cis_5.6.1.x.yml

@@ -52,19 +52,19 @@
         register: rhel9cis_5_6_1_4_inactive_settings
 
       - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
-        ansible.builtin.command: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
+        ansible.builtin.shell: useradd -D -f {{ rhel9cis_inactivelock.lock_days }}
         when: rhel9cis_5_6_1_4_inactive_settings.stdout | length == 0
 
       - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
         ansible.builtin.shell: "awk -F: '/^[^#:]+:[^\\!\\*:]*:[^:]*:[^:]*:[^:]*:[^:]*:(\\s*|-1|3[1-9]|[4-9][0-9]|[1-9][0-9][0-9]+):[^:]*:[^:]*\\s*$/ {print $1}' /etc/shadow"
         changed_when: false
         check_mode: false
-        register: rhel_8_5_6_1_4_user_list
+        register: rhel9cis_5_6_1_4_user_list
 
       - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
-        ansible.builtin.command: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
+        ansible.builtin.shell: chage --inactive {{ rhel9cis_inactivelock.lock_days }} "{{ item }}"
         with_items:
-            - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
+            - "{{ rhel9cis_5_6_1_4_user_list.stdout_lines }}"
   when:
       - rhel9cis_rule_5_6_1_4
   tags:
@@ -104,7 +104,7 @@
             - not rhel9cis_futurepwchgdate_autofix
 
       - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
-        ansible.builtin.command: passwd --expire {{ item }}
+        ansible.builtin.shell: passwd --expire {{ item }}
         when:
             - rhel9cis_5_6_1_5_user_list.stdout | length > 0
             - rhel9cis_futurepwchgdate_autofix

tasks/section_6/cis_6.1.x.yml

@@ -207,7 +207,7 @@
         when:
             - item.stdout_lines is defined
             - item.stdout_lines | length > 0
-       
+
       - name: "6.1.11 | AUDIT | Ensure no ungrouped files or directories exist | warning"
         ansible.builtin.import_tasks: warning_facts.yml
         vars:

templates/ansible_vars_goss.yml.j2

@@ -450,7 +450,7 @@ rhel9cis_nft_tables_autochaincreate: {{ rhel9cis_nft_tables_autochaincreate }}
 # Section 4
 
 ## syslog
-rhel9cis_syslog: {{ rhel9cis_preferred_log_capture }}
+rhel9cis_syslog: {{ rhel9cis_syslog }}
 
 # Section 5
 ## 5.2.4 Note the following to understand precedence and layout

vars/main.yml

@@ -8,5 +8,5 @@ rhel9cis_allowed_crypto_policies:
     - 'FIPS'
 
 # Used to control warning summary
-control_number: ""
+warn_control_list: ""
 warn_count: 0