linting fqcn

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2023-01-12 15:01:17 +00:00 · 2023-01-12 15:01:17 +00:00 · c18151e158
commit c18151e158
parent 60d01a6582
7 changed files with 88 additions and 89 deletions
--- a/tasks/section_5/cis_5.3.x.yml
+++ b/tasks/section_5/cis_5.3.x.yml
@ -1,7 +1,7 @@
 ---

 - name: "5.3.1 | PATCH | Ensure sudo is installed"
-  package:
+  ansible.builtin.package:
      name: sudo
      state: present
  when:
@ -15,7 +15,7 @@
      - rule_5.3.1

 - name: "5.3.2 | PATCH | Ensure sudo commands use pty"
-  lineinfile:
+  ansible.builtin.lineinfile:
      path: /etc/sudoers
      line: "Defaults    use_pty"
      validate: '/usr/sbin/visudo -cf %s'
@ -30,7 +30,7 @@
      - rule_5.3.2

 - name: "5.3.3 | PATCH | Ensure sudo log file exists"
-  lineinfile:
+  ansible.builtin.lineinfile:
      path: /etc/sudoers
      regexp: '^Defaults    logfile='
      line: 'Defaults    logfile="{{ rhel9cis_sudolog_location }}"'
@ -46,7 +46,7 @@
      - rule_5.3.3

 - name: "5.3.4 | PATCH | Ensure users must provide password for escalation"
-  replace:
+  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#|{% if system_is_ec2 %}ec2-user{% endif %}].*)NOPASSWD(.*)'
      replace: '\1PASSWD\2'
@ -64,7 +64,7 @@
      - rule_5.3.4

 - name: "5.3.5 | PATCH | Ensure re-authentication for privilege escalation is not disabled globally"
-  replace:
+  ansible.builtin.replace:
      path: "{{ item }}"
      regexp: '^([^#].*)!authenticate(.*)'
      replace: '\1authenticate\2'
@ -84,13 +84,13 @@
 - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly"
  block:
      - name: "5.3.6 | AUDIT | Ensure sudo authentication timeout is configured correctly | Get files with timeout set"
-        shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
+        ansible.builtin.shell: grep -is 'timestamp_timeout' /etc/sudoers /etc/sudoers.d/* | cut -d":" -f1 | uniq | sort
        changed_when: false
        failed_when: false
        register: rhel9cis_5_3_6_timeout_files

      - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if no results"
-        lineinfile:
+        ansible.builtin.lineinfile:
            path: /etc/sudoers
            regexp: 'Defaults timestamp_timeout='
            line: "Defaults timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
@ -98,7 +98,7 @@
        when: rhel9cis_5_3_6_timeout_files.stdout | length == 0

      - name: "5.3.6 | PATCH | Ensure sudo authentication timeout is configured correctly | Set value if has results"
-        replace:
+        ansible.builtin.replace:
            path: "{{ item }}"
            regexp: 'timestamp_timeout=(\d+)'
            replace: "timestamp_timeout={{ rhel9cis_sudo_timestamp_timeout }}"
@ -119,13 +119,13 @@
 - name: "5.3.7 | PATCH | Ensure access to the su command is restricted"
  block:
      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | Setting pam_wheel to use_uid"
-        lineinfile:
+        ansible.builtin.lineinfile:
            path: /etc/pam.d/su
            regexp: '^(#)?auth\s+required\s+pam_wheel\.so'
            line: 'auth           required        pam_wheel.so use_uid {% if rhel9cis_sugroup is defined %}group={{ rhel9cis_sugroup }}{% endif %}'

      - name: "5.3.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        user:
+        ansible.builtin.user:
            name: "{{ rhel9cis_sugroup_users }}"
            groups: "{{ rhel9cis_sugroup | default('wheel') }}"
  when: