lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

tasks/section_3/cis_3.4.1.x.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: "3.4.1.1 | PATCH | Ensure nftables is installed"
-  package:
+  ansible.builtin.package:
       name:
           - nftables
       state: present
@@ -38,7 +38,7 @@
             - rhel9cis_firewall == 'firewalld'
 
       - name: "3.4.1.2 | PATCH | Ensure a single firewall configuration utility is in use | {{ rhel9cis_firewall }} started and enabled"
-        systemd:
+        ansible.builtin.systemd:
             name: "{{ rhel9cis_firewall }}"
             enabled: true
             state: started

tasks/section_4/cis_4.1.1.x.yml

@@ -3,13 +3,13 @@
 - name: "4.1.1.1 | PATCH | Ensure auditd is installed"
   block:
       - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd packages"
-        package:
+        ansible.builtin.package:
             name: audit
             state: present
         when: '"auditd" not in ansible_facts.packages'
 
       - name: "4.1.1.1 | PATCH | Ensure auditd is installed | Install auditd-lib packages"
-        package:
+        ansible.builtin.package:
             name: audit-libs
             state: present
         when: '"auditd-lib" not in ansible_facts.packages'
@@ -25,14 +25,14 @@
 - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled"
   block:
       - name: "4.1.1.2 | AUDIT | Ensure auditing for processes that start prior to auditd is enabled | Get GRUB_CMDLINE_LINUX"
-        shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
+        ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel9cis_4_1_1_2_grub_cmdline_linux
 
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Replace existing setting"
-        replace:
+        ansible.builtin.replace:
             dest: /etc/default/grub
             regexp: 'audit=.'
             replace: 'audit=1'
@@ -40,7 +40,7 @@
         when: "'audit=' in rhel9cis_4_1_1_2_grub_cmdline_linux.stdout"
 
       - name: "4.1.1.2 | PATCH | Ensure auditing for processes that start prior to auditd is enabled | Add audit setting if missing"
-        lineinfile:
+        ansible.builtin.lineinfile:
             path: /etc/default/grub
             regexp: '^GRUB_CMDLINE_LINUX='
             line: '{{ rhel9cis_4_1_1_2_grub_cmdline_linux.stdout }} audit=1"'
@@ -59,14 +59,14 @@
 - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient"
   block:
       - name: "4.1.1.3 | AUDIT | Ensure audit_backlog_limit is sufficient | Get GRUB_CMDLINE_LINUX"
-        shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
+        ansible.builtin.shell: grep 'GRUB_CMDLINE_LINUX=' /etc/default/grub | sed 's/.$//'
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel9cis_4_1_1_3_grub_cmdline_linux
 
       - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Replace existing setting"
-        replace:
+        ansible.builtin.replace:
             dest: /etc/default/grub
             regexp: 'audit_backlog_limit=\d+'
             replace: 'audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}'
@@ -74,7 +74,7 @@
         when: "'audit_backlog_limit=' in rhel9cis_4_1_1_3_grub_cmdline_linux.stdout"
 
       - name: "4.1.1.3 | PATCH | Ensure audit_backlog_limit is sufficient | Add audit_backlog_limit setting if missing"
-        lineinfile:
+        ansible.builtin.lineinfile:
             path: /etc/default/grub
             regexp: '^GRUB_CMDLINE_LINUX='
             line: '{{ rhel9cis_4_1_1_3_grub_cmdline_linux.stdout }} audit_backlog_limit={{ rhel9cis_audit_back_log_limit }}"'
@@ -91,7 +91,7 @@
       - rule_4.1.1.3
 
 - name: "4.1.1.4 | PATCH | Ensure auditd service is enabled"
-  service:
+  ansible.builtin.systemd:
       name: auditd
       state: started
       enabled: true

tasks/section_4/cis_4.1.2.x.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: "4.1.2.1 | PATCH | Ensure audit log storage size is configured"
-  lineinfile:
+  ansible.builtin.lineinfile:
       path: /etc/audit/auditd.conf
       regexp: "^max_log_file( |=)"
       line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
@@ -17,7 +17,7 @@
       - rule_4.1.2.1
 
 - name: "4.1.2.2 | PATCH | Ensure audit logs are not automatically deleted"
-  lineinfile:
+  ansible.builtin.lineinfile:
       path: /etc/audit/auditd.conf
       regexp: "^max_log_file_action"
       line: "max_log_file_action = {{ rhel9cis_auditd['max_log_file_action'] }}"
@@ -32,7 +32,7 @@
       - rule_4.1.2.2
 
 - name: "4.1.2.3 | PATCH | Ensure system is disabled when audit logs are full"
-  lineinfile:
+  ansible.builtin.lineinfile:
       path: /etc/audit/auditd.conf
       regexp: "{{ item.regexp }}"
       line: "{{ item.line }}"
@@ -51,14 +51,14 @@
       - rule_4.1.2.3
 
 - name: PATCH | Configure other keys for auditd.conf
-  lineinfile:
+  ansible.builtin.lineinfile:
       path: /etc/audit/auditd.conf
       regexp: "^{{ item }}( |=)"
       line: "{{ item }} = {{ rhel9cis_auditd_extra_conf[item] }}"
   loop: "{{ rhel9cis_auditd_extra_conf.keys() }}"
   notify: restart auditd
   when:
-    - rhel9cis_auditd_extra_conf.keys() | length > 0
+      - rhel9cis_auditd_extra_conf.keys() | length > 0
   tags:
       - level2-server
       - level2-workstation

tasks/section_4/cis_4.1.3.x.yml

@@ -70,7 +70,7 @@
 - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
   block:
       - name: "4.1.3.6 | PATCH | Ensure use of privileged commands is collected"
-        shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
+        ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null; done
         changed_when: false
         failed_when: false
         check_mode: false

tasks/section_4/cis_4.1.4.x.yml

@@ -16,11 +16,11 @@
             "4.1.4.2 | PATCH | Ensure only authorized users own audit log files"
             "4.1.4.3 | PATCH | Ensure only authorized groups are assigned ownership of audit log files"
         ansible.builtin.file:
-          path: "{{ audit_logfile.stdout }}"
+            path: "{{ audit_logfile.stdout }}"
-          state: file
+            state: file
-          mode: 0640
+            mode: 0640
-          owner: root
+            owner: root
-          group: root
+            group: root
   when:
       - rhel9cis_rule_4_1_4_1 or
         rhel9cis_rule_4_1_4_2 or
@@ -38,14 +38,14 @@
   block:
       - name: "4.1.4.4 | AUDIT | Ensure the audit log directory is 0750 or more restrictive | get current permissions"
         ansible.builtin.stat:
-          path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_logfile.stdout | dirname }}"
         register: auditlog_dir
 
       - name: "4.1.4.4 | PATCH | Ensure the audit log directory is 0750 or more restrictive | set"
         ansible.builtin.file:
-          path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_logfile.stdout | dirname }}"
-          state: directory
+            state: directory
-          mode: 0750
+            mode: 0750
         when: not auditlog_dir.stat.mode is match('07(0|5)0')
   when:
       - rhel9cis_rule_4_1_4_4
@@ -59,21 +59,21 @@
 - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive"
   block:
 
-    - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions"
+      - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | get permissions"
-      ansible.builtin.stat:
+        ansible.builtin.stat:
-        path: "{{ item.path }}"
+            path: "{{ item.path }}"
-      register: item_file
+        register: item_file
-      loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}"
+        loop: "{{ audit_conf_files.results | map(attribute='files') | flatten }}"
-      loop_control:
+        loop_control:
-        label: "{{ item.path }}"
+            label: "{{ item.path }}"
 
-    - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions"
+      - name: "4.1.4.5 | PATCH | Ensure audit configuration files are 640 or more restrictive | set permissions"
-      ansible.builtin.file:
+        ansible.builtin.file:
-          path: "{{ audit_logfile.stdout | dirname }}"
+            path: "{{ audit_logfile.stdout | dirname }}"
-          state: file
+            state: file
-          mode: 0640
+            mode: 0640
-      loop: "{{ audit_config_files }}"
+        loop: "{{ audit_config_files }}"
-      when: not item_file.stat.mode is match('06(0|4)0')
+        when: not item_file.stat.mode is match('06(0|4)0')
   when:
       - rhel9cis_rule_4_1_4_5
   tags:

tasks/section_4/cis_4.2.2.x.yml

@@ -183,14 +183,14 @@
 
       - name: "4.2.2.7 | AUDIT | Ensure journald default file permissions configured | Set live file"
         ansible.builtin.set_fact:
-          systemd_conf_file: /etc/tmpfiles.d/systemd.conf
+            systemd_conf_file: /etc/tmpfiles.d/systemd.conf
         when: rhel9cis_4_2_2_7_override_stat.exists
 
       - name: "4.2.2.7 | PATCH | Ensure journald default file permissions configured | Set permission"
         ansible.builtin.lineinfile:
-          path: "{{ /etc/tmpfiles.d/systemd.conf | default('/usr/lib/tmpfiles.d/systemd.conf') }}"
+            path: "{{ systemd_conf_file | default('/usr/lib/tmpfiles.d/systemd.conf') }}"
-          regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root"
+            regexp: "^z \/var\/log\/journal\/%m\/system.journal (!?06(0|4)0) root"
-          line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -'
+            line: 'z /var/log/journal/%m/system.journal 0640 root systemd-journal - -'
 
   when:
       - rhel9cis_rule_4_2_2_7