openstack/ansible-hardening
Code Issues Proposed changes

Remove warn argument for command/shell

Browse Source 
Since ansible-core 2.14 you can't use warn as module argument.

Instead, noqa should be used to instruct ansible-lint to
supress alerts.

Change-Id: Ie448fa182db8c1c9f64744ea72f27f285aa64366
This commit is contained in:
Dmitriy Rabotyagov 2023-06-30 15:05:50 +02:00
parent 037e5493b6
commit 2c7889852c
4 changed files with 6 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
handlers/main.yml
View File

@ -18,9 +18,7 @@
# NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS # NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
# since it's a special service. Using the old service scripts is required. # since it's a special service. Using the old service scripts is required.
- name: restart auditd - name: restart auditd
command: service auditd restart command: service auditd restart # noqa: command-instead-of-module
args:
warn: no
- name: restart chrony - name: restart chrony
service: service:

4
tasks/rhel7stig/async_tasks.yml
View File

@ -16,9 +16,7 @@
# Multiple tasks will need the output of RPM verification, so let's do the # Multiple tasks will need the output of RPM verification, so let's do the
# lookup one time and then grep over the output in subsequent tasks. # lookup one time and then grep over the output in subsequent tasks.
- name: Verify all installed RPM packages - name: Verify all installed RPM packages
shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" shell: "rpm -Va > {{ temp_dir }}/rpmverify.txt" # noqa: command-instead-of-module
args:
warn: no
failed_when: False failed_when: False
changed_when: False changed_when: False
register: rpmverify_task register: rpmverify_task

4
tasks/rhel7stig/dnf.yml
View File

@ -46,9 +46,7 @@
# Fedora >= 26 has dnf-automatic-install.timer. We need to check for which one # Fedora >= 26 has dnf-automatic-install.timer. We need to check for which one
# exists on the system. # exists on the system.
- name: Check to see which dnf automatic timers are available - name: Check to see which dnf automatic timers are available
shell: "rpm -ql dnf-automatic | grep timer || true" shell: "rpm -ql dnf-automatic | grep timer || true" # noqa: command-instead-of-module
args:
warn: no
register: dnf_automatic_timers register: dnf_automatic_timers
check_mode: no check_mode: no
changed_when: False changed_when: False

14
tasks/rhel7stig/file_perms.yml
View File

@ -15,8 +15,6 @@
- name: V-71849 - Get packages with incorrect file permissions or ownership - name: V-71849 - Get packages with incorrect file permissions or ownership
shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
args:
warn: no
register: rpmverify_package_list register: rpmverify_package_list
changed_when: False changed_when: False
when: when:
@ -29,9 +27,7 @@
- V-71849 - V-71849
- name: V-71849 - Reset file permissions/ownership to vendor values - name: V-71849 - Reset file permissions/ownership to vendor values
shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" shell: "rpm {{ item[0] }} `rpm -qf {{ item[1] }}`" # noqa: command-instead-of-shell command-instead-of-module risky-shell-pipe
args:
warn: no
changed_when: false changed_when: false
with_nested: with_nested:
- ['--setperms', '--setugids'] - ['--setperms', '--setugids']
@ -51,9 +47,7 @@
- skip_ansible_lint - skip_ansible_lint
- name: Search for files/directories with an invalid owner - name: Search for files/directories with an invalid owner
command: find / -xdev -nouser -fstype local command: find / -xdev -nouser -fstype local # noqa: command-instead-of-module
args:
warn: no
register: invalid_owner_files register: invalid_owner_files
changed_when: false changed_when: false
when: when:
@ -76,9 +70,7 @@
- V-72007 - V-72007
- name: Search for files/directories with an invalid group owner - name: Search for files/directories with an invalid group owner
command: find / -xdev -nogroup -fstype local command: find / -xdev -nogroup -fstype local # noqa: command-instead-of-module
args:
warn: no
register: invalid_group_owner_files register: invalid_group_owner_files
changed_when: false changed_when: false
when: when: