consistent command and shell usage

Signed-off-by: Thomas Sjögren <[email protected]>

handlers/main.yml

@@ -11,7 +11,8 @@
 # https://github.com/ansible/ansible/issues/22171
 - name: Restart RedHat auditd # noqa command-instead-of-module
   become: true
-  ansible.builtin.command: service auditd restart
+  ansible.builtin.command:
+    cmd: service auditd restart
   register: service_auditd_restart
   changed_when: service_auditd_restart.rc == 0
   when: ansible_os_family == "RedHat"
@@ -20,7 +21,8 @@
 
 - name: Generate auditd rules
   become: true
-  ansible.builtin.command: augenrules
+  ansible.builtin.command:
+    cmd: augenrules
   register: augenrules_handler
   changed_when: augenrules_handler.rc == 0
 
@@ -37,7 +39,8 @@
 
 - name: Run rkhunter propupd
   become: true
-  ansible.builtin.command: rkhunter --propupd
+  ansible.builtin.command:
+    cmd: rkhunter --propupd
   register: rkhunter_propupd
   changed_when: rkhunter_propupd.rc == 0
 
@@ -137,19 +140,22 @@
   environment:
     PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
   become: true
-  ansible.builtin.command: create-cracklib-dict /usr/share/dict/*
+  ansible.builtin.command:
+    cmd: create-cracklib-dict /usr/share/dict/*
   register: update_redhat_cracklib
   changed_when: update_redhat_cracklib.rc == 0
   when: ansible_os_family == "RedHat"
 
 - name: Update GRUB
   become: true
-  ansible.builtin.command: update-grub
+  ansible.builtin.command:
+    cmd: update-grub
   register: update_grub
   changed_when: update_grub.rc == 0
 
 - name: Update GRUB2
   become: true
-  ansible.builtin.command: grub2-mkconfig
+  ansible.builtin.command:
+    cmd: grub2-mkconfig
   register: update_grub2
   changed_when: update_grub2.rc == 0

molecule/default/verify.yml

@@ -416,7 +416,8 @@
       become: true
       environment:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-      ansible.builtin.command: sshd -T
+      ansible.builtin.command:
+        cmd: sshd -T
       check_mode: false
       register: sshd_config
       changed_when: false
@@ -888,7 +889,8 @@
     - name: Verify wireless state
       environment:
         PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-      ansible.builtin.command: nmcli -t radio
+      ansible.builtin.command:
+        cmd: nmcli -t radio
       register: wireless_state
       changed_when: not 'disabled' in wireless_state.stdout
       failed_when: not 'disabled' in wireless_state.stdout
@@ -924,7 +926,8 @@
       block:
         - name: Aide config check
           become: true
-          ansible.builtin.command: aide --config-check --config="{{ '/etc/aide/aide.conf' if ansible_os_family == 'Debian' else '/etc/aide.conf' }}"
+          ansible.builtin.command:
+            cmd: aide --config-check --config="{{ '/etc/aide/aide.conf' if ansible_os_family == 'Debian' else '/etc/aide.conf' }}"
           register: aide_config
           changed_when: false
           failed_when: aide_config.rc != 0

tasks/apparmor.yml

@@ -36,7 +36,8 @@
   become: true
   environment:
     PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-  ansible.builtin.command: aa-status --complaining
+  ansible.builtin.command:
+    cmd: aa-status --complaining
   register: get_apparmor_complaining
   changed_when: get_apparmor_complaining.stdout != "0"
   when: ansible_os_family == "Debian"

tasks/compilers.yml

@@ -26,7 +26,8 @@
 
 - name: Ensure restrict compilers access via dpkg-statoverride
   become: true
-  ansible.builtin.command: dpkg-statoverride --update --force-all --add root root 0750 "{{ item.path }}"
+  ansible.builtin.command:
+    cmd: dpkg-statoverride --update --force-all --add root root 0750 "{{ item.path }}"
   register: dpkg_statoverride
   changed_when: dpkg_statoverride.rc != 0
   loop: "{{ compiler.files }}"

tasks/compilers_dnf_post_transaction_actions_plugin.yml

@@ -5,7 +5,8 @@
   block:
     - name: Get package name rpm of binary file {{ item }}
       become: true
-      ansible.builtin.command: rpm --query --queryformat='%{NAME}' --file {{ item }} # noqa command-instead-of-module
+      ansible.builtin.command:
+        cmd: rpm --query --queryformat='%{NAME}' --file {{ item }} # noqa command-instead-of-module
       register: compiler_package
       changed_when: compiler_package.rc != 0
       check_mode: false

tasks/disablemod.yml

@@ -24,9 +24,10 @@
 - name: Stat blacklisted kernel modules
   environment:
     PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
-  ansible.builtin.shell: |
-    set -o pipefail
-    modprobe -c | grep -o '^blacklist .*' | awk '{print $2}'
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      modprobe -c | grep -o '^blacklist .*' | awk '{print $2}'
   args:
     executable: /bin/bash
   changed_when: false

tasks/disablewireless.yml

@@ -12,14 +12,16 @@
       when: ansible_os_family == "Debian"
 
     - name: Get WiFi state
-      ansible.builtin.command: nmcli -t radio
+      ansible.builtin.command:
+        cmd: nmcli -t radio
       register: wifi_state_pre
       changed_when: wifi_state_pre.rc != 0
       failed_when: wifi_state_pre.rc != 0
 
     - name: Turn off wireless interfaces
       become: true
-      ansible.builtin.command: nmcli radio all off
+      ansible.builtin.command:
+        cmd: nmcli radio all off
       register: nmcli_radio
       changed_when: nmcli_radio.rc != 0
       failed_when: nmcli_radio.rc != 0

tasks/motdnews.yml

@@ -59,9 +59,10 @@
         - ubuntu-pro
 
     - name: Check apt_news status
-      ansible.builtin.shell: |
-        set -o pipefail
-        pro config show | grep '^apt_news.*False'
+      ansible.builtin.shell:
+        cmd: |
+          set -o pipefail
+          pro config show | grep '^apt_news.*False'
       args:
         executable: /bin/bash
       register: ubuntu_advantage_pro_state

tasks/post.yml

@@ -44,7 +44,8 @@
 
 - name: Stat Debian auditd GRUB settings
   become: true
-  ansible.builtin.shell: grep "linux.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}" /boot/grub/grub.cfg
+  ansible.builtin.shell:
+    cmd: grep "linux.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}" /boot/grub/grub.cfg
   changed_when: false
   failed_when: audit_grub_cfg.rc > 1
   register: audit_grub_cfg

tasks/pre.yml

@@ -1,7 +1,8 @@
 ---
 - name: Update subscription info on RHEL
   become: true
-  ansible.builtin.command: subscription-manager refresh --force
+  ansible.builtin.command:
+    cmd: subscription-manager refresh --force
   changed_when: false
   when: ansible_distribution == "RedHat"
   tags:

tasks/sshconfig.yml

@@ -40,7 +40,8 @@
 
 - name: Get sshd Include config
   become: true
-  ansible.builtin.command: grep -E "^Include " /etc/ssh/sshd_config
+  ansible.builtin.command:
+    cmd: grep -E "^Include " /etc/ssh/sshd_config
   register: grep_include
   changed_when: false
   failed_when: false

tasks/suid.yml

@@ -6,8 +6,8 @@
     - CIS-UBUNTU2004-6.1.14
   block:
     - name: Find possible suid binaries
-      ansible.builtin.shell: |
-        command -v "{{ item }}"
+      ansible.builtin.shell:
+        cmd: command -v "{{ item }}"
       args:
         executable: /bin/bash
       loop:

tasks/ufw.yml

@@ -91,9 +91,10 @@
 
 - name: Stat UFW rules
   become: true
-  ansible.builtin.shell: |
-    set -o pipefail
-    ufw show added | grep '^ufw' | grep -v "'ansible\smanaged'" | sed 's/ufw //g'
+  ansible.builtin.shell:
+    cmd: |
+      set -o pipefail
+      ufw show added | grep '^ufw' | grep -v "'ansible\smanaged'" | sed 's/ufw //g'
   args:
     executable: /bin/bash
   failed_when: ufw_not_managed.rc > 1