From 566c2f0ce9a4e656ff7c6346fc6b501ea3bdaf9f Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Tue, 11 Jun 2024 16:22:01 +0100
Subject: [PATCH] Tidy up and lint

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_1/cis_1.1.1.x.yml | 32 ++++++++++++++++----------------
 tasks/section_1/cis_1.3.x.yml   |  4 ++--
 tasks/section_1/cis_1.4.x.yml   |  4 ++--
 tasks/section_4/cis_4.5.2.x.yml |  2 +-
 tasks/section_5/cis_5.2.3.x.yml |  4 ++--
 5 files changed, 23 insertions(+), 23 deletions(-)

diff --git a/tasks/section_1/cis_1.1.1.x.yml b/tasks/section_1/cis_1.1.1.x.yml
index b67a6e7..b2021a4 100644
--- a/tasks/section_1/cis_1.1.1.x.yml
+++ b/tasks/section_1/cis_1.1.1.x.yml
@@ -14,7 +14,7 @@
   block:
       - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install cramfs(\\s|$)"
             line: "install cramfs /bin/true"
             create: true
@@ -22,7 +22,7 @@
 
       - name: "1.1.1.1 | PATCH | Ensure cramfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist cramfs(\\s|$)"
             line: "blacklist cramfs"
             create: true
@@ -47,7 +47,7 @@
   block:
       - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install freevxfs(\\s|$)"
             line: "install freevxfs /bin/true"
             create: true
@@ -55,7 +55,7 @@
 
       - name: "1.1.1.2 | PATCH | Ensure freevxfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist freevxfs(\\s|$)"
             line: "blacklist freevxfs"
             create: true
@@ -80,7 +80,7 @@
   block:
       - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install hfs(\\s|$)"
             line: "install hfs /bin/true"
             create: true
@@ -88,7 +88,7 @@
 
       - name: "1.1.1.3 | PATCH | Ensure hfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist hfs(\\s|$)"
             line: "blacklist hfs"
             create: true
@@ -113,7 +113,7 @@
   block:
       - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install hfsplus(\\s|$)"
             line: "install hfsplus /bin/true"
             create: true
@@ -121,7 +121,7 @@
 
       - name: "1.1.1.4 | PATCH | Ensure hfsplus kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist hfsplus(\\s|$)"
             line: "blacklist hfsplus"
             create: true
@@ -146,7 +146,7 @@
   block:
       - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install jffs2(\\s|$)"
             line: "install jffs2 /bin/true"
             create: true
@@ -154,7 +154,7 @@
 
       - name: "1.1.1.5 | PATCH | Ensure jffs2 kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist jffs2(\\s|$)"
             line: "blacklist jffs2"
             create: true
@@ -179,7 +179,7 @@
   block:
       - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install squashfs(\\s|$)"
             line: "install squashfs /bin/true"
             create: true
@@ -187,7 +187,7 @@
 
       - name: "1.1.1.6 | PATCH | Ensure squashfs kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist squashfs(\\s|$)"
             line: "blacklist squashfs"
             create: true
@@ -212,7 +212,7 @@
   block:
       - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install udf(\\s|$)"
             line: "install udf /bin/true"
             create: true
@@ -220,7 +220,7 @@
 
       - name: "1.1.1.7 | PATCH | Ensure udf kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist udf(\\s|$)"
             line: "blacklist udf"
             create: true
@@ -245,7 +245,7 @@
   block:
       - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/CIS.conf
+            path: /etc/modprobe.d/CIS.conf
             regexp: "^(#)?install usb-storage(\\s|$)"
             line: "install usb-storage /bin/true"
             create: true
@@ -253,7 +253,7 @@
 
       - name: "1.1.1.8 | PATCH | Ensure usb-storage kernel module is not available | Edit modprobe config"
         ansible.builtin.lineinfile:
-            dest: /etc/modprobe.d/blacklist.conf
+            path: /etc/modprobe.d/blacklist.conf
             regexp: "^(#)?blacklist usb-storage(\\s|$)"
             line: "blacklist usb-storage"
             create: true
diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml
index 8f94a3e..4d8f5fb 100644
--- a/tasks/section_1/cis_1.3.x.yml
+++ b/tasks/section_1/cis_1.3.x.yml
@@ -12,12 +12,12 @@
   block:
       - name: "1.3.1 | PATCH | Ensure authentication required for single user mode | Emergency service"
         ansible.builtin.lineinfile:
-            dest: /usr/lib/systemd/system/emergency.service
+            path: /usr/lib/systemd/system/emergency.service
             regexp: '/sbin/sulogin'
             line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
 
       - name: "1.3.1 | PATCH | Ensure authentication required for single user mode | Rescue service"
         ansible.builtin.lineinfile:
-            dest: /usr/lib/systemd/system/rescue.service
+            path: /usr/lib/systemd/system/rescue.service
             regexp: '/sbin/sulogin'
             line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'
diff --git a/tasks/section_1/cis_1.4.x.yml b/tasks/section_1/cis_1.4.x.yml
index cec5ac4..f72b247 100644
--- a/tasks/section_1/cis_1.4.x.yml
+++ b/tasks/section_1/cis_1.4.x.yml
@@ -47,7 +47,7 @@
       - NIST800-53R5_CM-6b
   notify: Systemd_daemon_reload
   ansible.builtin.lineinfile:
-      dest: /etc/systemd/coredump.conf
+      path: /etc/systemd/coredump.conf
       regexp: ^ProcessSizeMax
       line: ProcessSizeMax=0
       create: true
@@ -64,7 +64,7 @@
       - coredump
   notify: Systemd_daemon_reload
   ansible.builtin.lineinfile:
-      dest: /etc/systemd/coredump.conf
+      path: /etc/systemd/coredump.conf
       regexp: ^Storage
       line: Storage=none
       create: true
diff --git a/tasks/section_4/cis_4.5.2.x.yml b/tasks/section_4/cis_4.5.2.x.yml
index fce795f..c1c47e6 100644
--- a/tasks/section_4/cis_4.5.2.x.yml
+++ b/tasks/section_4/cis_4.5.2.x.yml
@@ -68,7 +68,7 @@
         loop_control:
             label: "{{ item.id }}"
 
-      - name: "4.5.2.3 | PATCH | | Ensure system accounts are secured | Lock accounts"
+      - name: "4.5.2.3 | PATCH | Ensure system accounts are secured | Lock accounts"
         when:
             - item.id != "root"
             - item.id != "sync"
diff --git a/tasks/section_5/cis_5.2.3.x.yml b/tasks/section_5/cis_5.2.3.x.yml
index ff14ad1..ef6c914 100644
--- a/tasks/section_5/cis_5.2.3.x.yml
+++ b/tasks/section_5/cis_5.2.3.x.yml
@@ -77,14 +77,14 @@
       - auditd
       - rule_5.2.3.6
   block:
-      - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
+      - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected"
         ansible.builtin.shell: for i in  $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
         changed_when: false
         failed_when: false
         check_mode: false
         register: priv_procs
 
-      - name: "5.2.3.6 | PATCH | Ensure use of privileged commands is collected"
+      - name: "5.2.3.6 | AUDIT | Ensure use of privileged commands is collected | set_fact for auditd rules"
         ansible.builtin.set_fact:
             update_audit_template: true
         notify: Update_auditd_rules