Fix linting issues for ansible-lint 3.4.1

Preparing this role for the ansible-lint version bump

Change-Id: Iac181e2de70b947564892a9ebb5685b02d945e3f

tasks/rhel6stig/aide.yml

@@ -63,7 +63,8 @@
     - always
 
 - name: V-38489 - Initialize AIDE (this will take a few minutes)
-  shell: "aideinit"
+  command: "aideinit"
+  changed_when: false
   register: aide_init
   when:
     - aide_conf.stat.exists | bool
@@ -78,7 +79,8 @@
 # copies the new AIDE database into place automatically with its AIDE wrapper
 # script.
 - name: V-38489 - Move AIDE database into place
-  shell: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
+  command: "mv /var/lib/aide/aide.db.new.gz {{ aide_database_file }}"
+  changed_when: false
   when:
     - aide_init | changed
     - ansible_os_family | lower == 'redhat'

tasks/rhel6stig/auditd.yml

@@ -109,7 +109,7 @@
 # returns 2 otherwise. We also will check to see if auditd has been installed
 # and fail if it's not installed.
 - name: Checking auditd package contents for alterations with debsums (for V-38637)
-  shell: debsums auditd -c
+  command: debsums auditd -c
   register: v38637_result
   changed_when: False
   failed_when: "'not installed' in v38637_result.stdout"
@@ -253,7 +253,7 @@
 # avoid using the shell module to get a list of logs. This task should be
 # adjusted to use the find module when Ansible 2.0 is fully released.
 - name: Get a list of audit logs in the auditd directory (for V-38498)
-  shell: ls /var/log/audit/
+  command: ls /var/log/audit/
   register: v38498_result
   changed_when: false
   when: auditd_log_dir.stat.exists | bool

tasks/rhel6stig/auth.yml

@@ -307,7 +307,7 @@
 # SHA512 is the minimum requirement and it happens to be Ubuntu 14.04's default
 # hashing algorithm as well.
 - name: Check password hashing algorithm used by PAM (for V-38574)
-  shell: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}"
+  command: "grep '^\\s*password.*pam_unix.*sha512' {{ pam_password_file }}"
   register: v38574_result
   changed_when: False
   failed_when: False
@@ -328,7 +328,7 @@
     - V-38574
 
 - name: Check password hashing algorithm used in login.defs (for V-38576)
-  shell: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
+  command: "grep '^ENCRYPT_METHOD.*SHA512' /etc/login.defs"
   register: v38576_result
   changed_when: v38576_result.rc != 0
   always_run: True
@@ -363,7 +363,7 @@
 
 # Only look at libuser.conf when we are sure that libuser is installed
 - name: If libuser is installed, verify hashing algorithm in use (for V-38577)
-  shell: "grep '^crypt_style = sha512' /etc/libuser.conf"
+  command: "grep '^crypt_style = sha512' /etc/libuser.conf"
   register: v38577_result
   when: v38577_libuser_check.rc == 0
   changed_when: v38577_result.rc != 0
@@ -433,11 +433,11 @@
     - cat3
     - V-38683
 
-# This should be updated to use the find module when Ansible 2.0 is available.
 - name: Search for sudoers files (for V-58901)
-  shell: find /etc/sudoers* -type f
+  find:
+    paths: "/etc/sudoers*"
+    file_type: file
   register: v58901_result
-  changed_when: False
   always_run: True
   tags:
     - auth
@@ -447,8 +447,9 @@
 # The lineinfile module can't be used here since we may need to comment out
 # multiple lines.
 - name: Comment out sudoers lines with NOPASSWD present (for V-58901)
-  shell: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item }}"
-  with_items: "{{ v58901_result.stdout_lines | default([]) }}"
+  command: "sed -e '/NOPASSWD/ s/^#*/#/' -i {{ item.path }}"
+  changed_when: false
+  with_items: "{{ v58901_result.files | default([]) }}"
   when: security_sudoers_remove_nopasswd | bool
   tags:
     - auth
@@ -458,8 +459,9 @@
 # The lineinfile module can't be used here since we may need to comment out
 # multiple lines.
 - name: Comment out sudoers lines with !authenticate present (for V-58901)
-  shell: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item }}"
-  with_items: "{{ v58901_result.stdout_lines | default([]) }}"
+  command: "sed -e '/!authenticate/ s/^#*/#/' -i {{ item.path }}"
+  changed_when: false
+  with_items: "{{ v58901_result.files | default([]) }}"
   when: security_sudoers_remove_authenticate | bool
   tags:
     - auth

tasks/rhel6stig/misc.yml

@@ -342,7 +342,7 @@
     - V-38674
 
 - name: V-38674 - X Windows must not be enabled (systemd)
-  shell: "systemctl set-default multi-user.target"
+  command: "systemctl set-default multi-user.target"
   register: systemctl_default_target
   changed_when: "'Created symlink' in systemctl_default_target.stdout"
   when:
@@ -353,7 +353,7 @@
     - V-38674
 
 - name: Check for unlabeled device files (for V-51379)
-  shell: "find /dev -context '*unlabeled_t*'"
+  command: "find /dev -context '*unlabeled_t*'"
   register: v51379_unlabeled_devices
   changed_when: False
   always_run: True

tasks/rhel6stig/nfsd.yml

@@ -26,7 +26,7 @@
     - cat3
 
 - name: Check if 'all_squash' appears in /etc/exports (for V-38460)
-  shell: grep all_squash /etc/exports
+  command: grep all_squash /etc/exports
   register: v38460_result
   changed_when: v38460_result | success
   failed_when: False
@@ -50,7 +50,7 @@
     - V-38460
 
 - name: Check if 'insecure_locks' appears in /etc/exports (for V-38677)
-  shell: grep insecure_locks /etc/exports
+  command: grep insecure_locks /etc/exports
   register: v38677_result
   changed_when: v38677_result | success
   failed_when: False

tasks/rhel6stig/services.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Generate list of services_installed
-  shell: "find /etc/init.d/ -printf '%f\n'"
+  command: "find /etc/init.d/ -printf '%f\n'"
   register: sysv_services_installed
   changed_when: false
   always_run: True

tasks/rhel7stig/file_perms.yml

@@ -31,6 +31,7 @@
   shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`"
   args:
     warn: no
+  changed_when: false
   with_nested:
     - ['--setperms', '--setugids']
     - "{{ rhel_07_010010_packages.stdout_lines | default([]) }}"
@@ -42,3 +43,5 @@
   tags:
     - high
     - RHEL-07-010010
+    # don't trigger ANSIBLE0013
+    - skip_ansible_lint