Merge pull request #276 from ansible-lockdown/mrsteve_module_fix_april

Module Change From Command To Shell, Update Names Of Tasks

handlers/main.yml

@@ -38,7 +38,7 @@
       state: reloaded
 
 - name: remount tmp
-  ansible.builtin.command: mount -o remount /tmp
+  ansible.builtin.shell: mount -o remount /tmp
 
 - name: restart firewalld
   ansible.builtin.service:
@@ -61,7 +61,7 @@
       state: restarted
 
 - name: reload dconf
-  ansible.builtin.command: dconf update
+  ansible.builtin.shell: dconf update
 
 - name: update auditd
   ansible.builtin.template:
@@ -73,7 +73,7 @@
   notify: restart auditd
 
 - name: restart auditd
-  ansible.builtin.command: /sbin/service auditd restart
+  ansible.builtin.shell: /sbin/service auditd restart
   changed_when: false
   check_mode: false
   failed_when: false
@@ -89,7 +89,7 @@
       state: restarted
 
 - name: rhel8cis_grub2cfg
-  ansible.builtin.command: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
+  ansible.builtin.shell: "grub2-mkconfig -o {{ grub_cfg.stat.lnk_source }}"
   ignore_errors: true  # noqa ignore-errors
   notify: change_requires_reboot
   tags:

tasks/parse_etc_password.yml

@@ -3,7 +3,7 @@
 - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
   block:
       - name: "PRELIM | 5.5.2 | 6.2.7 | 6.2.8 | 6.2.20 | Parse /etc/passwd"
-        ansible.builtin.command: cat /etc/passwd
+        ansible.builtin.shell: cat /etc/passwd
         changed_when: false
         check_mode: false
         register: rhel8cis_passwd_file_audit

tasks/post_remediation_audit.yml

@@ -17,12 +17,12 @@
 
 - name: Post Audit | Capture audit data if json format
   block:
-      - name: "capture data {{ post_audit_outfile }}"
-        ansible.builtin.command: "cat {{ post_audit_outfile }}"
+      - name: Post Audit |  "capture data {{ post_audit_outfile }}"
+        ansible.builtin.shell: "cat {{ post_audit_outfile }}"
         register: post_audit
         changed_when: false
 
-      - name: Capture post-audit result
+      - name: Post Audit | Capture post-audit result
         ansible.builtin.set_fact:
             post_audit_summary: "{{ post_audit.stdout | from_json | json_query(summary) }}"
         vars:
@@ -33,7 +33,7 @@
 - name: Post Audit | Capture audit data if documentation format
   block:
       - name: "Post Audit | capture data {{ post_audit_outfile }}"
-        ansible.builtin.command: "tail -2 {{ post_audit_outfile }}"
+        ansible.builtin.shell: "tail -2 {{ post_audit_outfile }}"
         register: post_audit
         changed_when: false
 

tasks/pre_remediation_audit.yml

@@ -94,7 +94,7 @@
 - name: Pre Audit | Capture audit data if json format
   block:
       - name: "Pre Audit | capture data {{ pre_audit_outfile }}"
-        ansible.builtin.command: "cat {{ pre_audit_outfile }}"
+        ansible.builtin.shell: "cat {{ pre_audit_outfile }}"
         changed_when: false
         register: pre_audit
 
@@ -109,7 +109,7 @@
 - name: Pre Audit | Capture audit data if documentation format
   block:
       - name: "Pre Audit | capture data {{ pre_audit_outfile }}"
-        ansible.builtin.command: "tail -2 {{ pre_audit_outfile }}"
+        ansible.builtin.shell: "tail -2 {{ pre_audit_outfile }}"
         register: pre_audit
         changed_when: false
 

tasks/prelim.yml

@@ -16,7 +16,7 @@
 
 # List users in order to look files inside each home directory
 - name: "PRELIM | List users accounts"
-  ansible.builtin.command: "awk -F: '{print $1}' /etc/passwd"
+  ansible.builtin.shell: "awk -F: '{print $1}' /etc/passwd"
   changed_when: false
   check_mode: false
   register: users
@@ -99,7 +99,7 @@
       state: present
 
 - name: "PRELIM | Find all sudoers files."
-  ansible.builtin.command: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
+  ansible.builtin.shell: "find /etc/sudoers /etc/sudoers.d/ -type f ! -name '*~' ! -name '*.*'"
   changed_when: false
   failed_when: false
   check_mode: false

tasks/section_1/cis_1.2.x.yml

@@ -65,7 +65,7 @@
 - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured"
   block:
       - name: "1.2.4 | AUDIT | Ensure package manager repositories are configured | Get repo list"
-        ansible.builtin.command: dnf repolist
+        ansible.builtin.shell: dnf repolist
         changed_when: false
         failed_when: false
         register: dnf_configured

tasks/section_1/cis_1.3.x.yml

@@ -8,7 +8,7 @@
             state: present
 
       - name: "1.3.1 | PATCH | Ensure AIDE is installed | Configure AIDE"
-        ansible.builtin.command: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
+        ansible.builtin.shell: /usr/sbin/aide --init -B 'database_out=file:/var/lib/aide/aide.db.gz'
         changed_when: false
         failed_when: false
         async: 45

tasks/section_3/cis_3.1.x.yml

@@ -81,21 +81,21 @@
 - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled"
   block:
       - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if nmcli command is available"
-        ansible.builtin.command: rpm -q NetworkManager
+        ansible.builtin.shell: rpm -q NetworkManager
         changed_when: false
         failed_when: false
         check_mode: false
         register: rhel_08_nmcli_available
 
       - name: "3.1.4 | AUDIT | Ensure wireless interfaces are disabled | Check if wifi is enabled"
-        ansible.builtin.command: nmcli radio wifi
+        ansible.builtin.shell: nmcli radio wifi
         register: rhel_08_wifi_enabled
         changed_when: rhel_08_wifi_enabled.stdout != "disabled"
         failed_when: false
         when: rhel_08_nmcli_available.rc == 0
 
       - name: "3.1.4 | PATCH | Ensure wireless interfaces are disabled | Disable wifi if enabled"
-        ansible.builtin.command: nmcli radio all off
+        ansible.builtin.shell: nmcli radio all off
         changed_when: false
         failed_when: false
         when: rhel_08_wifi_enabled is changed

tasks/section_3/cis_3.4.1.x.yml

@@ -84,7 +84,7 @@
         register: firewalld_zone_set
 
       - name: "3.4.1.5 | AUDIT | Ensure firewalld default zone is set"
-        ansible.builtin.command: firewall-cmd --set-default-zone="{{ rhel8cis_default_zone }}"
+        ansible.builtin.shell: firewall-cmd --set-default-zone="{{ rhel8cis_default_zone }}"
         when:
             - firewalld_zone_set.rc != 0
   when:

tasks/section_3/cis_3.4.2.x.yml

@@ -62,10 +62,10 @@
 - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables"
   block:
       - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv4"
-        ansible.builtin.command: iptables -F
+        ansible.builtin.shell: iptables -F
 
       - name: "3.4.2.4 | PATCH | Ensure iptables are flushed with nftables | IPv6"
-        ansible.builtin.command: ip6tables -F
+        ansible.builtin.shell: ip6tables -F
         when: rhel8cis_ipv6_required
   when:
       - rhel8cis_rule_3_4_2_4
@@ -81,7 +81,7 @@
 - name: "3.4.2.5 | AUDIT | Ensure an nftables table exists"
   block:
       - name: "3.4.2.5 | AUDIT | Ensure a table exists | Check for tables"
-        ansible.builtin.command: nft list tables
+        ansible.builtin.shell: nft list tables
         changed_when: false
         failed_when: false
         register: rhel8cis_3_4_2_5_nft_tables
@@ -111,7 +111,7 @@
             - not rhel8cis_nft_tables_autonewtable
 
       - name: "3.4.2.5 | PATCH | Ensure a table exists | Create table if needed"
-        ansible.builtin.command: nft create table inet "{{ rhel8cis_nft_tables_tablename }}"
+        ansible.builtin.shell: nft create table inet "{{ rhel8cis_nft_tables_tablename }}"
         failed_when: false
         when: rhel8cis_nft_tables_autonewtable
   when:
@@ -196,15 +196,15 @@
         register: rhel8cis_3_4_2_7_ip6saddr
 
       - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set iif lo accept rule"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input iif lo accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input iif lo accept
         when: '"iif \"lo\" accept" not in rhel8cis_3_4_2_7_iiflo.stdout'
 
       - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip sddr rule"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip saddr 127.0.0.0/8 counter drop
         when: '"ip saddr 127.0.0.0/8 counter packets 0 bytes 0 drop" not in rhel8cis_3_4_2_7_ipsaddr.stdout'
 
       - name: "3.4.2.7 | PATCH | Ensure nftables loopback traffic is configured | Set ip6 saddr rule"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip6 saddr ::1 counter drop
         when: '"ip6 saddr ::1 counter packets 0 bytes 0 drop" not in rhel8cis_3_4_2_7_ip6saddr.stdout'
   when:
       - rhel8cis_firewall == "nftables"
@@ -232,27 +232,27 @@
         register: rhel8cis_3_4_2_8_outconnectionrule
 
       - name: "3.4.2.8| PATCH | Ensure nftables outbound and established connections are configured | Add input tcp established accept policy"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip protocol tcp ct state established accept
         when: '"ip protocol tcp ct state established accept" not in rhel8cis_3_4_2_8_inconnectionrule.stdout'
 
       - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input udp established accept policy"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip protocol udp ct state established accept
         when: '"ip protocol udp ct state established accept" not in rhel8cis_3_4_2_8_inconnectionrule.stdout'
 
       - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add input icmp established accept policy"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input ip protocol icmp ct state established accept
         when: '"ip protocol icmp ct state established accept" not in rhel8cis_3_4_2_8_inconnectionrule.stdout'
 
       - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output tcp new, related, established accept policy"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" output ip protocol tcp ct state new,related,established accept
         when: '"ip protocol tcp ct state established,related,new accept" not in rhel8cis_3_4_2_8_outconnectionrule.stdout'
 
       - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output udp new, related, established accept policy"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" output ip protocol udp ct state new,related,established accept
         when: '"ip protocol udp ct state established,related,new accept" not in rhel8cis_3_4_2_8_outconnectionrule.stdout'
 
       - name: "3.4.2.8 | PATCH | Ensure nftables outbound and established connections are configured | Add output icmp new, related, established accept policy"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" output ip protocol icmp ct state new,related,established accept
         when: '"ip protocol icmp ct state established,related,new accept" not in rhel8cis_3_4_2_8_outconnectionrule.stdout'
   when:
       - rhel8cis_firewall == "nftables"
@@ -292,19 +292,19 @@
         register: rhel8cis_3_4_2_9_sshallowcheck
 
       - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Enable SSH traffic"
-        ansible.builtin.command: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input tcp dport ssh accept
+        ansible.builtin.shell: nft add rule inet "{{ rhel8cis_nft_tables_tablename }}" input tcp dport ssh accept
         when: '"tcp dport ssh accept" not in rhel8cis_3_4_2_9_sshallowcheck.stdout'
 
       - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Set hook input deny policy"
-        ansible.builtin.command: nft chain inet "{{ rhel8cis_nft_tables_tablename }}" input { policy drop \; }
+        ansible.builtin.shell: nft chain inet "{{ rhel8cis_nft_tables_tablename }}" input { policy drop \; }
         when: '"type filter hook input priority 0; policy drop;" not in rhel8cis_3_4_2_9_inputpolicy.stdout'
 
       - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook forward deny policy"
-        ansible.builtin.command: nft chain inet "{{ rhel8cis_nft_tables_tablename }}" forward { policy drop \; }
+        ansible.builtin.shell: nft chain inet "{{ rhel8cis_nft_tables_tablename }}" forward { policy drop \; }
         when: '"type filter hook forward priority 0; policy drop;" not in rhel8cis_3_4_2_9_forwardpolicy.stdout'
 
       - name: "3.4.2.9 | PATCH | Ensure nftables default deny firewall policy | Create hook output deny policy"
-        ansible.builtin.command: nft chain inet "{{ rhel8cis_nft_tables_tablename }}" output { policy drop \; }
+        ansible.builtin.shell: nft chain inet "{{ rhel8cis_nft_tables_tablename }}" output { policy drop \; }
         when: '"type filter hook output priority 0; policy drop;" not in rhel8cis_3_4_2_9_outputpolicy.stdout'
   when:
       - rhel8cis_firewall == "nftables"

tasks/section_4/cis_4.2.1.x.yml

@@ -63,7 +63,7 @@
 - name: "4.2.1.5 | PATCH | Ensure logging is configured"
   block:
       - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
-        ansible.builtin.command: cat /etc/rsyslog.conf
+        ansible.builtin.shell: cat /etc/rsyslog.conf
         become: true
         changed_when: false
         failed_when: false

tasks/section_5/cis_5.6.1.x.yml

@@ -55,7 +55,7 @@
         register: rhel8cis_5_6_1_4_inactive_settings
 
       - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Set default inactive setting"
-        ansible.builtin.command: useradd -D -f {{ rhel8cis_inactivelock.lock_days }}
+        ansible.builtin.shell: useradd -D -f {{ rhel8cis_inactivelock.lock_days }}
         when: rhel8cis_5_6_1_4_inactive_settings.stdout | length == 0
 
       - name: "5.6.1.4 | AUDIT | Ensure inactive password lock is 30 days or less | Getting user list"
@@ -65,7 +65,7 @@
         register: rhel_8_5_6_1_4_user_list
 
       - name: "5.6.1.4 | PATCH | Ensure inactive password lock is 30 days or less | Apply Inactive setting to existing accounts"
-        ansible.builtin.command: "chage --inactive {{ rhel8cis_inactivelock.lock_days }} {{ item }}"
+        ansible.builtin.shell: "chage --inactive {{ rhel8cis_inactivelock.lock_days }} {{ item }}"
         with_items:
             - "{{ rhel_8_5_6_1_4_user_list.stdout_lines }}"
   when:
@@ -115,7 +115,7 @@
             - not rhel8cis_futurepwchgdate_autofix
 
       - name: "5.6.1.5 | PATCH | Ensure all users last password change date is in the past | Fix accounts with pw change in the future"
-        ansible.builtin.command: passwd --expire {{ item }}
+        ansible.builtin.shell: passwd --expire {{ item }}
         when:
             - rhel8cis_5_6_1_5_user_list | length > 0
             - rhel8cis_futurepwchgdate_autofix

tasks/section_5/cis_5.6.x.yml

@@ -72,7 +72,7 @@
       - rule_5.6.3
 
 - name: "5.6.4 | PATCH | Ensure default group for the root account is GID 0"
-  ansible.builtin.command: usermod -g 0 root
+  ansible.builtin.shell: usermod -g 0 root
   changed_when: false
   failed_when: false
   when:

tasks/section_6/cis_6.1.x.yml

@@ -230,7 +230,7 @@
 - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist"
   block:
       - name: "6.1.12 | AUDIT | Ensure no unowned files or directories exist | Finding all unowned files or directories"
-        ansible.builtin.command: find "{{ item.mount }}" -xdev -nouser
+        ansible.builtin.shell: find "{{ item.mount }}" -xdev -nouser
         changed_when: false
         failed_when: false
         check_mode: false
@@ -269,7 +269,7 @@
 - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist"
   block:
       - name: "6.1.13 | AUDIT | Ensure no ungrouped files or directories exist | Finding all ungrouped files or directories"
-        ansible.builtin.command: find "{{ item.mount }}" -xdev -nogroup
+        ansible.builtin.shell: find "{{ item.mount }}" -xdev -nogroup
         check_mode: false
         failed_when: false
         changed_when: false

tasks/section_6/cis_6.2.x.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: "6.2.1 | PATCH | Ensure password fields are not empty"
-  ansible.builtin.command: passwd -l {{ item }}
+  ansible.builtin.shell: passwd -l {{ item }}
   changed_when: false
   failed_when: false
   with_items: "{{ empty_password_accounts.stdout_lines }}"
@@ -213,7 +213,7 @@
       - rule_6.2.7
 
 - name: "6.2.8 | PATCH | Ensure root is the only UID 0 account"
-  ansible.builtin.command: passwd -l {{ item }}
+  ansible.builtin.shell: passwd -l {{ item }}
   changed_when: false
   failed_when: false
   with_items: "{{ rhel8cis_uid_zero_accounts_except_root.stdout_lines }}"
@@ -238,7 +238,7 @@
         with_items: "{{ rhel8cis_passwd | selectattr('uid', '>=', rhel8uid_interactive_uid_start | int ) | selectattr('uid', '<=', rhel8uid_interactive_uid_stop | int ) | map(attribute='dir') | list }}"
 
       - name: "6.2.9 | AUDIT | Ensure all users' home directories exist"
-        ansible.builtin.command: find -H {{ item.0 | quote }} -not -type l -perm /027
+        ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
         check_mode: false
         changed_when: rhel_08_6_2_9_patch_audit.stdout | length > 0
         register: rhel_08_6_2_9_patch_audit
@@ -327,7 +327,7 @@
         register: rhel_08_6_2_11_audit
 
       - name: "6.2.11 | AUDIT | Ensure users' home directories permissions are 750 or more restrictive"
-        ansible.builtin.command: find -H {{ item.0 | quote }} -not -type l -perm /027
+        ansible.builtin.shell: find -H {{ item.0 | quote }} -not -type l -perm /027
         check_mode: false
         changed_when: rhel_08_6_2_11_patch_audit.stdout | length > 0
         register: rhel_08_6_2_11_patch_audit
@@ -413,7 +413,7 @@
       - rule_6.2.12
 
 - name: "6.2.13 | PATCH | Ensure users' .netrc Files are not group or world accessible"
-  ansible.builtin.command: /bin/true
+  ansible.builtin.shell: /bin/true
   changed_when: false
   failed_when: false
   when:

tasks/verify.yml

@@ -8,7 +8,7 @@
           - scap-security-guide
 
 - name: Run CIS oscap scan and create /tmp/report.html
-  ansible.builtin.command:
+  ansible.builtin.shell:
       oscap xccdf eval \
           --report /tmp/report.html
           --profile cis