Merge pull request #321 from anzoman/steampunk-spotter-fixes

Task validation fixes (by Steampunk Spotter)
ansible-lockdown · Sep 15, 2023 · 21614a6 · 21614a6
2 parents 9e820c6 + aa610ce
commit 21614a6
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 9 deletions.
diff --git a/tasks/check_prereqs.yml b/tasks/check_prereqs.yml
@@ -2,7 +2,7 @@
 
 - name: "PREREQ | Check required packages installed | Python2"
   ansible.builtin.package:
-      list: "{{ item }}"
+      name: "{{ item }}"
       state: present
   loop:
       - rpm-python

diff --git a/tasks/pre_remediation_audit.yml b/tasks/pre_remediation_audit.yml
@@ -66,9 +66,8 @@
 
       - name: Pre Audit Setup | If audit ensure goss is available
         ansible.builtin.assert:
+            that: goss_available.stat.exists
             msg: "Audit has been selected: unable to find goss binary at {{ audit_bin }}"
-        when:
-            - not goss_available.stat.exists
   when:
       - run_audit
 

diff --git a/tasks/section_1/cis_1.2.x.yml b/tasks/section_1/cis_1.2.x.yml
@@ -74,7 +74,7 @@
       - rule_1.2.4
 
 - name: "1.2.5 | PATCH | Disable the rhnsd Daemon"
-  ansible.builtin.service:
+  ansible.builtin.systemd:
       name: rhnsd
       state: stopped
       enabled: false

diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
@@ -3,7 +3,7 @@
 - name: "5.5.2 | PATCH | Ensure system accounts are secured"
   block:
       - name: "5.5.2 | PATCH | Ensure system accounts are secured | Set nologin"
-        user:
+        ansible.builtin.user:
             name: "{{ item.id }}"
             shell: /usr/sbin/nologin
         loop: "{{ rhel7cis_passwd }}"
@@ -19,7 +19,7 @@
             - item.shell != "      /usr/sbin/nologin"
 
       - name: "5.5.2 | PATCH | Ensure system accounts are secured | Lock accounts"
-        user:
+        ansible.builtin.user:
             name: "{{ item.id }}"
             password_lock: true
         loop: "{{ rhel7cis_passwd }}"
@@ -42,7 +42,7 @@
       - rule_5.5.2
 
 - name: "5.5.3 | PATCH | Ensure default group for the root account is GID 0"
-  shell: usermod -g 0 root
+  ansible.builtin.shell: usermod -g 0 root
   changed_when: false
   failed_when: false
   when:

diff --git a/tasks/section_5/cis_5.7.yml b/tasks/section_5/cis_5.7.yml
@@ -10,7 +10,7 @@
             line: 'auth            required        pam_wheel.so use_uid {% if rhel7cis_sugroup is defined %}group={{ rhel7cis_sugroup }}{% endif %}'
 
       - name: "5.7 | PATCH | Ensure access to the su command is restricted | wheel group contains root"
-        ansible.builtin.group:
+        ansible.builtin.user:
             name: root
             groups: "{{ rhel7cis_sugroup }}"
         when:

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
@@ -10,7 +10,7 @@
             - rhel7cis_passwd | selectattr('password', '!=', 'x')
 
       - name: "6.2.1 | PATCH | Ensure accounts in /etc/passwd use shadow passwords | Good News"
-        debug:
+        ansible.builtin.debug:
             msg: "Good News!!  No Unshadowed passwords have been found"
         when: rhel7_6_2_1_shadow is not changed
   when: