Tidy up and linting

.ansible-lint

@@ -11,6 +11,7 @@ skip_list:
     - 'name[casing]'
     - 'name[template]'
     - 'fqcn[action]'
+    - 'key-order[task]'
     - '204'
     - '305'
     - '303'

defaults/main.yml

@@ -632,8 +632,10 @@ rhel8cis_authselect:
     default_file_to_copy: "sssd --symlink-meta"
     options: with-sudo with-faillock without-nullok
 
-# This needs to be set to ACCEPT manual changes to the pamd files
-rhel8cis_5_4_2_risks: NEVER
+# Its not provider recommended to run changes to pam files manually that affects authentication
+# This control needs to be set to ACCEPT this so that the changes do take place
+# Any other value does nothing
+rhel8cis_pamd_manual_risks: NEVER
 
 # 5.6.1.1
 # 5.6.1.2

tasks/section_1/cis_1.5.x.yml

@@ -35,8 +35,6 @@
   ansible.posix.sysctl:
       name: kernel.randomize_va_space
       value: '2'
-      state: present
-      reload: true
       sysctl_set: true
       ignoreerrors: true
   when:

tasks/section_3/cis_3.1.x.yml

@@ -2,15 +2,14 @@
 
 # The CIS Control wants IPv6 disabled if not in use.
 # We are using the rhel8cis_ipv6_required to specify if you have IPv6 in use
+
 - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system"
   block:
-      - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system |disable all except localhost"
+      - name: "3.1.1 | PATCH | Verify if IPv6 is enabled on the system | disable all except localhost"
         ansible.posix.sysctl:
             name: "{{ item }}"
             value: '1'
             sysctl_set: true
-            state: present
-            reload: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         with_items:
             - net.ipv6.conf.all.disable_ipv6
@@ -22,8 +21,6 @@
             name: net.ipv6.conf.lo.disable_ipv6
             value: '1'
             sysctl_set: true
-            state: present
-            reload: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: change_requires_reboot
         when:
@@ -125,7 +122,7 @@
         ansible.builtin.shell: nmcli radio all off
         changed_when: false
         failed_when: false
-        when: rhel_08_wifi_enabled is changed
+        when: rhel_08_wifi_enabled is changed  # noqa: no-handler
   when:
       - rhel8cis_rule_3_1_4
   tags:

tasks/section_3/cis_3.2.x.yml

@@ -6,8 +6,6 @@
         ansible.posix.sysctl:
             name: net.ipv4.ip_forward
             value: '0'
-            state: present
-            reload: true
             ignoreerrors: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: sysctl flush ipv4 route table
@@ -16,12 +14,12 @@
         ansible.posix.sysctl:
             name: net.ipv6.conf.all.forwarding
             value: '0'
-            state: present
-            reload: true
             ignoreerrors: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: sysctl flush ipv6 route table
-        when: rhel8cis_ipv6_required or rhel8cis_ipv6_sysctl_force
+        when:
+            - rhel8cis_ipv6_required or
+              rhel8cis_ipv6_sysctl_force
   when:
       - not rhel8cis_is_router
       - rhel8cis_rule_3_2_1
@@ -38,8 +36,6 @@
       name: '{{ item.name }}'
       value: '{{ item.value }}'
       sysctl_set: true
-      state: present
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv4 route table

tasks/section_3/cis_3.3.x.yml

@@ -7,8 +7,6 @@
             name: '{{ item.name }}'
             value: '{{ item.value }}'
             sysctl_set: true
-            state: present
-            reload: true
             ignoreerrors: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: sysctl flush ipv4 route table
@@ -21,7 +19,6 @@
             name: '{{ item.name }}'
             value: '{{ item.value }}'
             sysctl_set: true
-            reload: true
             ignoreerrors: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: sysctl flush ipv6 route table
@@ -46,8 +43,6 @@
             name: '{{ item.name }}'
             value: '{{ item.value }}'
             sysctl_set: true
-            state: present
-            reload: true
             ignoreerrors: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: sysctl flush ipv4 route table
@@ -60,8 +55,6 @@
             name: '{{ item.name }}'
             value: '{{ item.value }}'
             sysctl_set: true
-            state: present
-            reload: true
             ignoreerrors: true
             sysctl_file: "{{ rhel8cis_sysctl_file }}"
         notify: sysctl flush ipv6 route table
@@ -84,8 +77,6 @@
       name: '{{ item.name }}'
       value: '{{ item.value }}'
       sysctl_set: true
-      state: present
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv4 route table
@@ -107,8 +98,6 @@
       name: '{{ item.name }}'
       value: '{{ item.value }}'
       sysctl_set: true
-      state: present
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv4 route table
@@ -129,8 +118,6 @@
   ansible.posix.sysctl:
       name: net.ipv4.icmp_echo_ignore_broadcasts
       value: '1'
-      state: present
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv4 route table
@@ -149,8 +136,6 @@
       name: net.ipv4.icmp_ignore_bogus_error_responses
       value: '1'
       state: present
-      sysctl_set: true
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv4 route table
@@ -169,8 +154,6 @@
       name: "{{ item }}"
       value: '1'
       sysctl_set: true
-      state: present
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   loop:
@@ -191,9 +174,7 @@
   ansible.posix.sysctl:
       name: net.ipv4.tcp_syncookies
       value: '1'
-      state: present
       sysctl_set: true
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv4 route table
@@ -212,8 +193,6 @@
       name: '{{ item.name }}'
       value: '{{ item.value }}'
       sysctl_set: true
-      state: present
-      reload: true
       ignoreerrors: true
       sysctl_file: "{{ rhel8cis_sysctl_file }}"
   notify: sysctl flush ipv6 route table

tasks/section_4/cis_4.2.1.x.yml

@@ -64,7 +64,6 @@
   block:
       - name: "4.2.1.5 | AUDIT | Ensure logging is configured | rsyslog current config message out"
         ansible.builtin.shell: cat /etc/rsyslog.conf
-        become: true
         changed_when: false
         failed_when: false
         check_mode: false
@@ -79,7 +78,6 @@
       - name: "4.2.1.5 | PATCH | Ensure logging is configured | mail.* log setting"
         ansible.builtin.blockinfile:
             path: /etc/rsyslog.conf
-            state: present
             marker: "# {mark} MAIL LOG SETTINGS (ANSIBLE MANAGED)"
             block: |
               # mail logging additions to meet CIS standards

tasks/section_4/cis_4.2.2.x.yml

@@ -108,7 +108,6 @@
       path: /etc/systemd/journald.conf
       regexp: 'Compress='
       line: Compress=yes
-      state: present
       insertafter: ^#Compress
       validate: /usr/bin/bash -n %s
   when:

tasks/section_4/cis_4.2.3.yml

@@ -1,14 +1,35 @@
 ---
 
 - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured"
-  ansible.builtin.shell: find /var/log -type f -exec chmod g-wx,o-rwx "{}" +
-  failed_when: false
+  block:
+      - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | find files"
+        ansible.builtin.shell: find /var/log/ -type f -perm /g+wx,o+rwx -exec ls {} \;
+        changed_when: false
+        failed_when: false
+        register: rhel8cis_4_2_3_logfiles
+
+      - name: "4.2.3 | AUDIT | Ensure permissions on all logfiles are configured | set_fact"
+        ansible.builtin.set_fact:
+            rhel8cis_4_2_3_logfiles_flattened: "{{ rhel8cis_4_2_3_logfiles | json_query('stdout_lines[*]') | flatten }}"
+        when:
+            - rhel8cis_4_2_3_logfiles.stdout_lines | length > 0
+            - rhel8cis_4_2_3_logfiles is defined
+
+      - name: "4.2.3 | PATCH | Ensure permissions on all logfiles are configured | change permissions"
+        ansible.builtin.file:
+            path: "{{ item }}"
+            mode: 0640
+        loop: "{{ rhel8cis_4_2_3_logfiles_flattened }}"
+        when:
+            - rhel8cis_4_2_3_logfiles_flattened is defined
+            - item != "/var/log/btmp"
+            - item != "/var/log/utmp"
+            - item != "/var/log/wtmp"
   when:
       - rhel8cis_rule_4_2_3
   tags:
       - level1-server
       - level1-workstation
-      - automated
       - patch
       - logfiles
       - rule_4.2.3

tasks/section_5/cis_5.4.x.yml

@@ -59,7 +59,7 @@
             - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account     required      pam_faillock.so', 'before':'^account     required      pam_unix.so'}
         when:
             - not rhel8cis_authselect_custom_profile_select
-            - rhel8cis_5_4_2_risks == 'ACCEPT'
+            - rhel8cis_pamd_manual_risks == 'ACCEPT'
             - ansible_distribution_version >= "8.2"
 
       - name: 5.4.2 | PATCH | Ensure authselect includes with-faillock | not auth select profile"
@@ -74,7 +74,7 @@
             - { 'regexp': '^account\s+required\s+pam_faillock.so', 'line': 'account     required      pam_faillock.so', 'before':'^account     required      pam_unix.so'}
         when:
             - not rhel8cis_authselect_custom_profile_select
-            - rhel8cis_5_4_2_risks == 'ACCEPT'
+            - rhel8cis_pamd_manual_risks == 'ACCEPT'
             - ansible_distribution_version >= "8.2"
   when:
       - rhel8cis_rule_5_4_2

tasks/section_5/cis_5.5.x.yml

@@ -14,7 +14,6 @@
       - name: "5.5.1 | PATCH | Ensure password creation requirements are configured | Set system-auth and password-auth retry settings"
         ansible.builtin.lineinfile:
             path: "{{ item }}"
-            state: present
             regexp: '^password\s*requisite\s*pam_pwquality.so'
             line: "password    requisite                                    pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3"
             insertbefore: '^#?password ?'

tasks/section_6/cis_6.2.x.yml

@@ -195,12 +195,12 @@
                 - "The following paths have a dot in the path: {{ rhel8cis_6_2_7_dot_in_path.stdout_lines }}"
 
       - name: "6.2.7 | PATCH | Ensure root PATH Integrity | Determine rights and owner"
-        ansible.builtin.file: >
-          path='{{ item }}'
-          follow=yes
-          state=directory
-          owner=root
-          mode='o-w,g-w'
+        ansible.builtin.file:
+            path: '{{ item }}'
+            follow: true
+            state: directory
+            owner: root
+            mode: 'o-w,g-w'
         with_items: "{{ rhel8cis_6_2_7_dot_in_path.stdout_lines }}"
   when:
       - rhel8cis_rule_6_2_7

tasks/verify.yml

@@ -16,4 +16,4 @@
           /usr/share/xml/scap/ssg/content/ssg-almalinux8-ds.xml
   changed_when: true
   no_log: false
-  ignore_errors: true
+  ignore_errors: true  # noqa: ignore-errors