From 003b1a7d081f17517a9bc4ef36026f0602c91eb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Thomas=20Sj=C3=B6gren?= Date: Wed, 3 Jan 2024 23:28:45 +0000 Subject: [PATCH] consistent command and shell usage MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Thomas Sjögren --- handlers/main.yml | 18 ++++++++++++------ molecule/default/verify.yml | 9 ++++++--- tasks/apparmor.yml | 3 ++- tasks/compilers.yml | 3 ++- ...ers_dnf_post_transaction_actions_plugin.yml | 3 ++- tasks/disablemod.yml | 7 ++++--- tasks/disablewireless.yml | 6 ++++-- tasks/motdnews.yml | 7 ++++--- tasks/post.yml | 3 ++- tasks/pre.yml | 3 ++- tasks/sshconfig.yml | 3 ++- tasks/suid.yml | 4 ++-- tasks/ufw.yml | 7 ++++--- 13 files changed, 48 insertions(+), 28 deletions(-) diff --git a/handlers/main.yml b/handlers/main.yml index e126b67f..c5bab046 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -11,7 +11,8 @@ # https://github.com/ansible/ansible/issues/22171 - name: Restart RedHat auditd # noqa command-instead-of-module become: true - ansible.builtin.command: service auditd restart + ansible.builtin.command: + cmd: service auditd restart register: service_auditd_restart changed_when: service_auditd_restart.rc == 0 when: ansible_os_family == "RedHat" @@ -20,7 +21,8 @@ - name: Generate auditd rules become: true - ansible.builtin.command: augenrules + ansible.builtin.command: + cmd: augenrules register: augenrules_handler changed_when: augenrules_handler.rc == 0 @@ -37,7 +39,8 @@ - name: Run rkhunter propupd become: true - ansible.builtin.command: rkhunter --propupd + ansible.builtin.command: + cmd: rkhunter --propupd register: rkhunter_propupd changed_when: rkhunter_propupd.rc == 0 @@ -137,19 +140,22 @@ environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin become: true - ansible.builtin.command: create-cracklib-dict /usr/share/dict/* + ansible.builtin.command: + cmd: create-cracklib-dict /usr/share/dict/* register: update_redhat_cracklib changed_when: update_redhat_cracklib.rc == 0 when: ansible_os_family == "RedHat" - name: Update GRUB become: true - ansible.builtin.command: update-grub + ansible.builtin.command: + cmd: update-grub register: update_grub changed_when: update_grub.rc == 0 - name: Update GRUB2 become: true - ansible.builtin.command: grub2-mkconfig + ansible.builtin.command: + cmd: grub2-mkconfig register: update_grub2 changed_when: update_grub2.rc == 0 diff --git a/molecule/default/verify.yml b/molecule/default/verify.yml index ce4af4cb..88702455 100644 --- a/molecule/default/verify.yml +++ b/molecule/default/verify.yml @@ -416,7 +416,8 @@ become: true environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ansible.builtin.command: sshd -T + ansible.builtin.command: + cmd: sshd -T check_mode: false register: sshd_config changed_when: false @@ -888,7 +889,8 @@ - name: Verify wireless state environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ansible.builtin.command: nmcli -t radio + ansible.builtin.command: + cmd: nmcli -t radio register: wireless_state changed_when: not 'disabled' in wireless_state.stdout failed_when: not 'disabled' in wireless_state.stdout @@ -924,7 +926,8 @@ block: - name: Aide config check become: true - ansible.builtin.command: aide --config-check --config="{{ '/etc/aide/aide.conf' if ansible_os_family == 'Debian' else '/etc/aide.conf' }}" + ansible.builtin.command: + cmd: aide --config-check --config="{{ '/etc/aide/aide.conf' if ansible_os_family == 'Debian' else '/etc/aide.conf' }}" register: aide_config changed_when: false failed_when: aide_config.rc != 0 diff --git a/tasks/apparmor.yml b/tasks/apparmor.yml index 4a056b13..cbefc12d 100644 --- a/tasks/apparmor.yml +++ b/tasks/apparmor.yml @@ -36,7 +36,8 @@ become: true environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ansible.builtin.command: aa-status --complaining + ansible.builtin.command: + cmd: aa-status --complaining register: get_apparmor_complaining changed_when: get_apparmor_complaining.stdout != "0" when: ansible_os_family == "Debian" diff --git a/tasks/compilers.yml b/tasks/compilers.yml index d363ae6c..fd50511f 100644 --- a/tasks/compilers.yml +++ b/tasks/compilers.yml @@ -26,7 +26,8 @@ - name: Ensure restrict compilers access via dpkg-statoverride become: true - ansible.builtin.command: dpkg-statoverride --update --force-all --add root root 0750 "{{ item.path }}" + ansible.builtin.command: + cmd: dpkg-statoverride --update --force-all --add root root 0750 "{{ item.path }}" register: dpkg_statoverride changed_when: dpkg_statoverride.rc != 0 loop: "{{ compiler.files }}" diff --git a/tasks/compilers_dnf_post_transaction_actions_plugin.yml b/tasks/compilers_dnf_post_transaction_actions_plugin.yml index ca1c393d..a9a5dcea 100644 --- a/tasks/compilers_dnf_post_transaction_actions_plugin.yml +++ b/tasks/compilers_dnf_post_transaction_actions_plugin.yml @@ -5,7 +5,8 @@ block: - name: Get package name rpm of binary file {{ item }} become: true - ansible.builtin.command: rpm --query --queryformat='%{NAME}' --file {{ item }} # noqa command-instead-of-module + ansible.builtin.command: + cmd: rpm --query --queryformat='%{NAME}' --file {{ item }} # noqa command-instead-of-module register: compiler_package changed_when: compiler_package.rc != 0 check_mode: false diff --git a/tasks/disablemod.yml b/tasks/disablemod.yml index b747b3f6..c5316513 100644 --- a/tasks/disablemod.yml +++ b/tasks/disablemod.yml @@ -24,9 +24,10 @@ - name: Stat blacklisted kernel modules environment: PATH: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin - ansible.builtin.shell: | - set -o pipefail - modprobe -c | grep -o '^blacklist .*' | awk '{print $2}' + ansible.builtin.shell: + cmd: | + set -o pipefail + modprobe -c | grep -o '^blacklist .*' | awk '{print $2}' args: executable: /bin/bash changed_when: false diff --git a/tasks/disablewireless.yml b/tasks/disablewireless.yml index 44bd1662..3ece5f21 100644 --- a/tasks/disablewireless.yml +++ b/tasks/disablewireless.yml @@ -12,14 +12,16 @@ when: ansible_os_family == "Debian" - name: Get WiFi state - ansible.builtin.command: nmcli -t radio + ansible.builtin.command: + cmd: nmcli -t radio register: wifi_state_pre changed_when: wifi_state_pre.rc != 0 failed_when: wifi_state_pre.rc != 0 - name: Turn off wireless interfaces become: true - ansible.builtin.command: nmcli radio all off + ansible.builtin.command: + cmd: nmcli radio all off register: nmcli_radio changed_when: nmcli_radio.rc != 0 failed_when: nmcli_radio.rc != 0 diff --git a/tasks/motdnews.yml b/tasks/motdnews.yml index f66cebd2..de318845 100644 --- a/tasks/motdnews.yml +++ b/tasks/motdnews.yml @@ -59,9 +59,10 @@ - ubuntu-pro - name: Check apt_news status - ansible.builtin.shell: | - set -o pipefail - pro config show | grep '^apt_news.*False' + ansible.builtin.shell: + cmd: | + set -o pipefail + pro config show | grep '^apt_news.*False' args: executable: /bin/bash register: ubuntu_advantage_pro_state diff --git a/tasks/post.yml b/tasks/post.yml index 83289fe7..7bd60421 100644 --- a/tasks/post.yml +++ b/tasks/post.yml @@ -44,7 +44,8 @@ - name: Stat Debian auditd GRUB settings become: true - ansible.builtin.shell: grep "linux.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}" /boot/grub/grub.cfg + ansible.builtin.shell: + cmd: grep "linux.*{{ grub_audit_cmdline }} {{ grub_audit_backlog_cmdline }}" /boot/grub/grub.cfg changed_when: false failed_when: audit_grub_cfg.rc > 1 register: audit_grub_cfg diff --git a/tasks/pre.yml b/tasks/pre.yml index d70f53c2..1aa6cd1b 100644 --- a/tasks/pre.yml +++ b/tasks/pre.yml @@ -1,7 +1,8 @@ --- - name: Update subscription info on RHEL become: true - ansible.builtin.command: subscription-manager refresh --force + ansible.builtin.command: + cmd: subscription-manager refresh --force changed_when: false when: ansible_distribution == "RedHat" tags: diff --git a/tasks/sshconfig.yml b/tasks/sshconfig.yml index 02855a8e..3a6efe80 100644 --- a/tasks/sshconfig.yml +++ b/tasks/sshconfig.yml @@ -40,7 +40,8 @@ - name: Get sshd Include config become: true - ansible.builtin.command: grep -E "^Include " /etc/ssh/sshd_config + ansible.builtin.command: + cmd: grep -E "^Include " /etc/ssh/sshd_config register: grep_include changed_when: false failed_when: false diff --git a/tasks/suid.yml b/tasks/suid.yml index d42a24ee..d765ccef 100644 --- a/tasks/suid.yml +++ b/tasks/suid.yml @@ -6,8 +6,8 @@ - CIS-UBUNTU2004-6.1.14 block: - name: Find possible suid binaries - ansible.builtin.shell: | - command -v "{{ item }}" + ansible.builtin.shell: + cmd: command -v "{{ item }}" args: executable: /bin/bash loop: diff --git a/tasks/ufw.yml b/tasks/ufw.yml index a061b32b..6240b534 100644 --- a/tasks/ufw.yml +++ b/tasks/ufw.yml @@ -91,9 +91,10 @@ - name: Stat UFW rules become: true - ansible.builtin.shell: | - set -o pipefail - ufw show added | grep '^ufw' | grep -v "'ansible\smanaged'" | sed 's/ufw //g' + ansible.builtin.shell: + cmd: | + set -o pipefail + ufw show added | grep '^ufw' | grep -v "'ansible\smanaged'" | sed 's/ufw //g' args: executable: /bin/bash failed_when: ufw_not_managed.rc > 1