Replace debug with fail

Closes-bug: 1506185

Change-Id: I7d7c18d00eae1dac1a88e17c719d8603564bcc9a

tasks/apt.yml

@@ -24,7 +24,7 @@
   changed_when: "v38476_result.rc != 0"
 
 - name: V-38476 - Vendor-provided cryptographic certificates must be installed to verify the integrity of system software.
-  debug:
+  fail:
     msg: "FAILED: Missing Ubuntu 14.04 Archive signing keys"
   when: "'437D05B5' not in v38476_result.stdout or 'C0B21F32' not in v38476_result.stdout"
   tags:
@@ -43,15 +43,14 @@
 - name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/ (for V-38462)
   command: grep -r AllowUnauthenticated /etc/apt/apt.conf.d/
   register: v38462_result
-  failed_when: "'No such file' in v38462_result.stderr"
-  changed_when: "v38462_result.rc == 0"
+  changed_when: False
   tags:
     - auth
     - cat1
     - V-38462
 
 - name: V-38462 - Package management tool must verify authenticity of packages
-  debug:
+  fail:
     msg: "FAILED: Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
   when: "v38462_result.rc == 0"
   tags:

tasks/auth.yml

@@ -62,8 +62,7 @@
 - name: V-38497 - The system must not have accounts configured with blank or null passwords.
   command: grep nullok /etc/pam.d/common-auth
   register: v38497_result
-  changed_when: v38497_result.rc != 0
-  failed_when: "'No such file' in v38497_result.stderr"
+  changed_when: False
   tags:
     - auth
     - cat1
@@ -72,7 +71,7 @@
 # Print a warning about making a change.  We ought to figure out a better way
 # to capture this later.
 - name: V-38497 - The system must not have accounts configured with blank or null passwords.
-  debug:
+  fail:
     msg: "FAILED: Remove 'nullok' from /etc/pam.d/system-auth for better security."
   when: "v38497_result.rc == 0"
   tags:
@@ -101,7 +100,7 @@
     - V-38491
 
 - name: V-38491 - No .rhosts or hosts.equiv present on system
-  debug:
+  fail:
     msg: "FAILED: Remove all .rhosts and hosts.equiv files"
   when: v38491_equiv_check.stat.exists == True or v38491_rhosts_check.stat.exists == True
   tags:
@@ -132,15 +131,14 @@
 - name: Search /etc/passwd for password hashes (for V-38499)
   shell: "awk -F: '($2 != \"x\") {print}' /etc/passwd | wc -l"
   register: v38499_result
-  changed_when: "v38499_result.stdout != '0'"
-  failed_when: "'No such file' in v38499_result.stderr"
+  changed_when: False
   tags:
     - auth
     - cat2
     - V-38499
 
 - name: V-38499 - The /etc/passwd file must not contain password hashes
-  debug:
+  fail:
     msg: "FAILED: Remove password hashes from /etc/password to remediate"
   when: "v38499_result.stdout != '0'"
   tags:
@@ -178,8 +176,7 @@
 - name: Check if vsftpd installed (for V-38599)
   shell: dpkg --status vsftpd
   register: v38599_result
-  changed_when: v38599_result.rc == 0
-  failed_when: v38599_result.rc > 1
+  changed_when: False
   tags:
     - auth
     - cat2

tasks/misc.yml

@@ -24,14 +24,13 @@
 - name: Search for .netrc files (for V-38619)
   shell: find /root /home -xdev -name .netrc | wc -l
   register: v38619_result
-  changed_when: v38619_result.rc != 0
-  failed_when: "'No such file' in v38619_result.stdout"
+  changed_when: False
   tags:
     - cat2
     - V-38619
 
 - name: V-38619 - There must be no .netrc files on the system
-  debug:
+  fail:
     msg: "FAILED: .netrc files found -- they must be removed"
   when: v38619_result.stdout != '0'
   tags:
@@ -86,7 +85,7 @@
     - V-38624
 
 - name: V-38624 - System logs must be rotated daily (verify cron job)
-  debug:
+  fail:
     msg: "FAILED: Cron job for logrotate is missing"
   when: v38624_result.stat.exists == False
   tags:

tasks/nfsd.yml

@@ -36,7 +36,7 @@
     - V-38460
 
 - name: V-38460 - The NFS server must not have the all_squash option enabled
-  debug:
+  fail:
     msg: "FAILED: Remove all_squash from /etc/exports"
   changed_when: v38460_result.rc == 0
   when: exports.stat.exists and v38460_result.rc == 0
@@ -56,7 +56,7 @@
     - V-38677
 
 - name: V-38677 - The NFS server must not have the insecure_locks option enabled
-  debug:
+  fail:
     msg: "FAILED: Remove insecure_locks from /etc/exports"
   changed_when: v38677_result.rc == 0
   when: exports.stat.exists and v38677_result.rc == 0