Auto-fix usage of modules via FQCN

Since ansible-core 2.10 it is recommended to use modules via FQCN
In order to align with recommendation, we perform migration
by applying suggestions made by `ansible-lint --fix=fqcn`

Change-Id: I76bf3945bf413a8e9f0661f9aba697fdb8e993f7

handlers/main.yml

@@ -18,32 +18,32 @@
 # NOTE(mhayden): It's not possible to use systemd to restart auditd on CentOS
 # since it's a special service. Using the old service scripts is required.
 - name: Restart auditd
-  command: service auditd restart # noqa: command-instead-of-module
+  ansible.builtin.command: service auditd restart
   changed_when: false
 
 - name: Restart chrony
-  service:
+  ansible.builtin.service:
     name: "{{ chrony_service }}"
     state: restarted
 
 - name: Restart ssh
-  service:
+  ansible.builtin.service:
     name: "{{ ssh_service }}"
     state: restarted
 
 - name: Restart clamav
-  service:
+  ansible.builtin.service:
     name: "{{ clamav_service }}"
     state: restarted
 
 # Miscellaneous ##############################################################
 - name: Generate auditd rules
-  command: augenrules --load
+  ansible.builtin.command: augenrules --load
   changed_when: false
   notify: restart auditd
 
 - name: Update grub config
-  command: "{{ grub_update_cmd }}"
+  ansible.builtin.command: "{{ grub_update_cmd }}"
   changed_when: false
   when:
     - security_enable_grub_update | bool
@@ -55,10 +55,10 @@
 # NOTE(mhayden): Running `update-grub` causes the bootloader permissions to
 # change, which breaks V-38583.
 - name: Set bootloader file permissions after updating grub config
-  file:
+  ansible.builtin.file:
     path: "{{ grub_config_file_boot }}"
     mode: "0644"
 
 - name: Dconf update
-  command: dconf update
+  ansible.builtin.command: dconf update
   changed_when: false

tasks/contrib/main.yml

@@ -14,5 +14,5 @@
 # limitations under the License.
 
 - name: Notify the deployer that contrib tasks are enabled
-  debug:
+  ansible.builtin.debug:
     msg: "The contrib tasks are enabled."

tasks/main.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Gather variables for each operating system
-  include_vars: "{{ lookup('first_found', params) }}"
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
   vars:
     params:
       files:
@@ -30,20 +30,20 @@
     - always
 
 - name: Check for check/audit mode
-  command: /bin/true
+  ansible.builtin.command: /bin/true
   register: noop_result
   changed_when: false
   tags:
     - always
 
 - name: Check to see if we are booting with EFI or UEFI
-  set_fact:
+  ansible.builtin.set_fact:
     booted_with_efi: "{{ ansible_facts['mounts'] | selectattr('mount', 'equalto', '/boot/efi') | list | length > 0 }}"
   tags:
     - always
 
 - name: Set facts
-  set_fact:
+  ansible.builtin.set_fact:
     check_mode: "{{ noop_result is skipped }}" # noqa: var-naming[no-reserved]
     linux_security_module: "{{ (ansible_facts['os_family'] == 'Debian') | ternary('apparmor', 'selinux') }}"
     grub_config_file_boot: "{{ booted_with_efi | ternary(grub_conf_file_efi, grub_conf_file) }}"
@@ -51,16 +51,15 @@
     - always
 
 - name: Check if grub is present on the remote node
-  stat:
+  ansible.builtin.stat:
     path: "{{ grub_update_cmd.split(' ')[0] }}"
   register: grub_update_binary
   tags:
     - always
 
 - name: Importing STIG tasks
-  import_tasks: "{{ stig_version }}stig/main.yml"
+  ansible.builtin.import_tasks: "{{ stig_version }}stig/main.yml"
-
 - name: Including contrib tasks
-  include_tasks: contrib/main.yml
+  ansible.builtin.include_tasks: contrib/main.yml
   when:
     - security_contrib_enabled | bool

tasks/rhel7stig/accounts.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Check if /etc/security/pwquality.conf exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/security/pwquality.conf
   check_mode: false
   register: pwquality_config_check
@@ -22,7 +22,7 @@
     - always
 
 - name: Set password quality requirements
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/pwquality.conf
     backup: true
     insertbefore: EOF
@@ -45,7 +45,7 @@
     - V-71935
 
 - name: Check for SHA512 password storage in PAM
-  command: "grep pam_unix.so {{ pam_password_file }}"
+  ansible.builtin.command: "grep pam_unix.so {{ pam_password_file }}"
   register: password_sha512_check
   changed_when: false
   check_mode: false
@@ -53,7 +53,7 @@
     - always
 
 - name: Print warning if PAM is not using SHA512 for password storage
-  debug:
+  ansible.builtin.debug:
     msg: >
       PAM is not using SHA512 for password storage. This is a security issue.
   when:
@@ -65,7 +65,7 @@
     - V-71919
 
 - name: Ensure libuser is storing passwords using SHA512
-  ini_file:
+  community.general.ini_file:
     dest: /etc/libuser.conf
     section: defaults
     option: crypt_style
@@ -84,7 +84,7 @@
 # may be attached to a Kerberos realm and they may not have shadow data on the
 # system. See bug 1659232 for more details.
 - name: Set minimum password lifetime limit to 24 hours for interactive accounts
-  command: "chage -m 1 {{ item.name }}"
+  ansible.builtin.command: "chage -m 1 {{ item.name }}"
   changed_when: false
   when:
     - item.shadow is mapping
@@ -101,7 +101,7 @@
 # may be attached to a Kerberos realm and they may not have shadow data on the
 # system. See bug 1659232 for more details.
 - name: Set maximum password lifetime limit to 60 days for interactive accounts
-  command: "chage -M 60 {{ item.name }}"
+  ansible.builtin.command: "chage -M 60 {{ item.name }}"
   changed_when: false
   when:
     - item.shadow is mapping
@@ -115,7 +115,7 @@
     - V-71931
 
 - name: Ensure that users cannot reuse one of their last 5 passwords
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ pam_password_file }}"
     regexp: "^(password\\s+[a-z0-9\\=\\[\\] ]+\\s+pam_unix\\.so.+?)\\s+(?:remember=\\d+)?$"
     line: "\\1 remember={{ security_password_remember_password }}"
@@ -129,7 +129,7 @@
     - V-71933
 
 - name: Ensure accounts are disabled if the password expires
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/default/useradd
     regexp: "^[#\\s]*INACTIVE"
     line: "INACTIVE=0"
@@ -141,7 +141,7 @@
     - V-71941
 
 - name: Apply shadow-utils configurations
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/login.defs
     regexp: "^{{ item.parameter }}"
     line: "{{ item.parameter }} {{ item.value }}"
@@ -161,7 +161,7 @@
     - V-72013
 
 - name: Print warning for groups in /etc/passwd that are not in /etc/group
-  debug:
+  ansible.builtin.debug:
     msg: >
       The following users have GIDs in /etc/passwd that do not exist in /etc/group:
       {{ hardening_user_list.users | selectattr('group', 'equalto', False) | map(attribute='name') | join(', ') }}
@@ -185,7 +185,7 @@
     - skip_ansible_lint
 
 - name: Print warnings for non-root users with UID 0
-  fail:
+  ansible.builtin.fail:
     msg: |
       Only the 'root' user should have UID 0. Other users were found:
       {{ root_user_check.stdout_lines | join(', ') }}"
@@ -197,7 +197,7 @@
     - V-72005
 
 - name: Print warning for local interactive users without a home directory assigned
-  debug:
+  ansible.builtin.debug:
     msg: |
       The following users do not have a home directory assigned:
       {{ hardening_user_list.users | selectattr('dir', 'equalto', '') | map(attribute='name') | join(', ') }}
@@ -210,7 +210,7 @@
     - V-72011
 
 - name: Check each user to see if its home directory exists on the filesystem
-  stat:
+  ansible.builtin.stat:
     path: "{{ item['dir'] }}"
   when:
     - item['dir'] | length > 0
@@ -222,7 +222,7 @@
     - V-72015
 
 - name: Print warning for users with an assigned home directory that does not exist
-  debug:
+  ansible.builtin.debug:
     msg: |
       These users have a home directory assigned, but the directory does not exist:
       {% for check in home_directory_checks.results %}
@@ -238,7 +238,7 @@
     - V-72015
 
 - name: Use pwquality when passwords are changed or created
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/pam.d/passwd
     line: "password required pam_pwquality.so retry=3"
     state: present

tasks/rhel7stig/aide.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Verify that AIDE configuration directory exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ item }}"
   register: aide_conf
   check_mode: false
@@ -25,7 +25,7 @@
     - always
 
 - name: Exclude certain directories from AIDE
-  template:
+  ansible.builtin.template:
     src: ZZ_aide_exclusions.j2
     dest: /etc/aide/aide.conf.d/ZZ_aide_exclusions
     mode: "0644"
@@ -39,7 +39,7 @@
 # that meets the requirements of V-72069 and V-72071. That config
 # is borrowed for Ubuntu 16.04 here.
 - name: Configure AIDE to verify additional properties (Ubuntu)
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: "/etc/aide/aide.conf"
     insertbefore: EOF
     marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@@ -69,7 +69,7 @@
 
 # NOTE(hwoarang): Add acl and xattrs on SUSE to meet V-72069 and V-72071.
 - name: Configure AIDE to verify additional properties (SUSE)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "/etc/aide.conf"
     regexp: "(^Binlib.*= )"
     line: "\\1p+i+n+u+g+s+b+m+c+sha256+sha512+acl+xattrs"
@@ -86,7 +86,7 @@
     - V-72073
 
 - name: Check to see if AIDE database is already in place
-  stat:
+  ansible.builtin.stat:
     path: "{{ aide_database_file }}"
   register: aide_database
   check_mode: false
@@ -97,7 +97,7 @@
   # NOTE(hwoarang): aideinit is an Ubuntu wrapper. An alternative
   # would be to use aideinit || aide -i but that will possibly mask
   # genuine aideinit failures.
-  shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
+  ansible.builtin.shell: "if test -x /usr/sbin/aideinit; then aideinit; else aide -i; fi"
   changed_when: false
   register: aide_init
   when:
@@ -113,7 +113,7 @@
 # copies the new AIDE database into place automatically with its AIDE wrapper
 # script.
 - name: Move AIDE database into place
-  command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
+  ansible.builtin.command: "mv {{ aide_database_out_file }} {{ aide_database_file }}"
   changed_when: false
   when:
     - aide_init is not skipped
@@ -127,7 +127,7 @@
 # package doesn't come with a cron job file. Ubuntu packages a cron job for
 # AIDE checks already.
 - name: Create AIDE cron job
-  cron:
+  ansible.builtin.cron:
     name: aide
     cron_file: aide
     user: root

tasks/rhel7stig/apt.yml

@@ -14,13 +14,13 @@
 # limitations under the License.
 
 - name: Ensure debsums is installed
-  apt:
+  ansible.builtin.apt:
     name: debsums
     state: present
   when: security_check_package_checksums | bool
 
 - name: Gather debsums report
-  shell: "debsums > {{ temp_dir }}/debsums.txt"
+  ansible.builtin.shell: "debsums > {{ temp_dir }}/debsums.txt"
   changed_when: false
   failed_when: false
   when:
@@ -28,7 +28,7 @@
     - not check_mode | bool
 
 - name: V-71855 - Get files with invalid checksums (apt)
-  shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe
+  ansible.builtin.shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
   register: invalid_checksum_files
   changed_when: false
   when:
@@ -40,7 +40,7 @@
     - V-71855
 
 - name: V-71855 - Create comma-separated list
-  set_fact:
+  ansible.builtin.set_fact:
     invalid_checksum_files_violations: "{{ invalid_checksum_files.stdout_lines | default([]) | join(', ') }}"
   when:
     - security_check_package_checksums | bool
@@ -51,7 +51,7 @@
     - V-71855
 
 - name: V-71855 - The cryptographic hash of system files and commands must match vendor values (apt)
-  debug:
+  ansible.builtin.debug:
     msg: >
       The following files have checksums that differ from the checksum provided
       with their package. Each of these should be verified manually to ensure
@@ -68,14 +68,14 @@
 
 # See the documentation for V-71977 for more details on this check.
 - name: Search for AllowUnauthenticated in /etc/apt/apt.conf.d/
-  command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
+  ansible.builtin.command: grep -r '^[^#].*AllowUnauthenticated \"true\"' /etc/apt/apt.conf.d/
   register: gpgcheck_result
   changed_when: false
   failed_when: false
   check_mode: false
 
 - name: V-71977 - Package management tool must verify authenticity of packages
-  debug:
+  ansible.builtin.debug:
     msg: "Remove AllowUnauthenticated from files in /etc/apt/apt.conf.d/ to ensure packages are verified."
   when:
     - security_enable_gpgcheck_packages | bool
@@ -85,7 +85,7 @@
     - V-71977
 
 - name: V-71979 - Package management tool must verify authenticity of locally-installed packages
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/dpkg/dpkg.cfg
     regexp: "^(#)?no-debsig"
     line: "#no-debsig"
@@ -97,7 +97,7 @@
     - V-71979
 
 - name: V-71987 - Clean requirements/dependencies when removing packages (dpkg)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apt/apt.conf.d/security-autoremove
     regexp: "^(#)?APT::Get::AutomaticRemove"
     line: "APT{{ '::' }}Get{{ '::' }}AutomaticRemove \"0\";"
@@ -113,7 +113,7 @@
     - V-71987
 
 - name: Enable automatic package updates (apt)
-  copy:
+  ansible.builtin.copy:
     src: 20auto-upgrades
     dest: /etc/apt/apt.conf.d/20auto-upgrades
     mode: "0644"

tasks/rhel7stig/async_tasks.yml

@@ -32,7 +32,7 @@
     - skip_ansible_lint
 
 - name: Locate top level directories to check for .shosts
-  find:
+  ansible.builtin.find:
     paths: /
     file_type: directory
   register: shosts_dirs
@@ -46,7 +46,7 @@
     - V-72279
 
 - name: Check for .shosts or shosts.equiv files
-  find:
+  ansible.builtin.find:
     paths: "{{ shosts_dirs.files | map(attribute='path') | difference(security_rhel7_remove_shosts_exclude_dirs) }}"
     recurse: true
     hidden: true

tasks/rhel7stig/auditd.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Verify that auditd.conf exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/audit/auditd.conf
   register: auditd_conf
   check_mode: false
@@ -22,7 +22,7 @@
     - always
 
 - name: Verify that audisp-remote.conf exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/audisp/audisp-remote.conf
   register: audisp_remote_conf
   check_mode: false
@@ -30,7 +30,7 @@
     - always
 
 - name: V-72083 - The operating system must off-load audit records onto a different system or media from the system being audited
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/audisp/audisp-remote.conf
     regexp: "^(#)?remote_server"
     line: "remote_server = {{ security_audisp_remote_server }}"
@@ -45,7 +45,7 @@
     - V-72083
 
 - name: V-72085 - The operating system must encrypt the transfer of audit records off-loaded onto a different system or media from the system being audited
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/audisp/audisp-remote.conf
     regexp: "^(#)?enable_krb5"
     line: "enable_krb5 = yes"
@@ -60,14 +60,14 @@
     - V-72085
 
 - name: Get valid system architectures for audit rules
-  set_fact:
+  ansible.builtin.set_fact:
     auditd_architectures: "{{ (ansible_facts['architecture'] == 'ppc64le') | ternary(['ppc64'], ['b32', 'b64']) }}"
   check_mode: false
   tags:
     - always
 
 - name: Remove system default audit.rules file
-  file:
+  ansible.builtin.file:
     path: /etc/audit/rules.d/audit.rules
     state: absent
   when:
@@ -78,7 +78,7 @@
     - always
 
 - name: Remove old RHEL 6 audit rules file
-  file:
+  ansible.builtin.file:
     path: /etc/audit/rules.d/osas-auditd.rules
     state: absent
   when:
@@ -89,7 +89,7 @@
     - always
 
 - name: Deploy rules for auditd based on STIG requirements
-  template:
+  ansible.builtin.template:
     src: osas-auditd-rhel7.j2
     dest: /etc/audit/rules.d/osas-auditd-rhel7.rules
     mode: "0644"
@@ -155,7 +155,7 @@
     - V-72081
 
 - name: Adjust auditd/audispd configurations
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item.config }}"
     regexp: "^#?{{ item.parameter }}\\s*="
     line: "{{ item.parameter }} = {{ item.value }}"
@@ -174,7 +174,7 @@
     - V-72093
 
 - name: Ensure auditd is running and enabled at boot time
-  service:
+  ansible.builtin.service:
     name: auditd
     state: started
     enabled: true

tasks/rhel7stig/auth.yml

@@ -16,7 +16,7 @@
 # NOTE(mhayden): pam_faildelay expects the `delay` parameter to be in
 # microseconds.
 - name: Set pam_faildelay configuration on Ubuntu
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/pam.d/login
     regexp: "^(auth[\\s]+optional[\\s]+pam_faildelay.so).*$"
     line: "\\1 delay={{ (security_shadow_utils_fail_delay | int) * 10**6 }}"
@@ -31,7 +31,7 @@
     - V-71951
 
 - name: Prevent users with blank or null passwords from authenticating (Debian/Ubuntu)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ pam_auth_file }}"
     state: present
     regexp: "^(.*)nullok_secure(.*)$"
@@ -47,7 +47,7 @@
     - V-71937
 
 - name: Prevent users with blank or null passwords from authenticating (Red Hat)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item[1] }}"
     state: present
     regexp: "^({{ item[0] }}.*sufficient.*)nullok(.*)$"
@@ -64,7 +64,7 @@
     - V-71937
 
 - name: Prevent users with blank or null passwords from authenticating (SUSE)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item }}"
     state: present
     regexp: "^(.*required.*)nullok(.*)$"
@@ -83,7 +83,7 @@
     - V-71937
 
 - name: Lock accounts after three failed login attempts a 15 minute period
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: "{{ pam_password_file }}"
     state: present
     marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@@ -106,7 +106,7 @@
 # those lines that have a '#' as the first character or '#' as the first
 # character following a space (or series of spaces).
 - name: Check for 'nopasswd' in sudoers files
-  shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe
+  ansible.builtin.shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
   register: sudoers_nopasswd_check
   changed_when: false
   when:
@@ -132,7 +132,7 @@
     - skip_ansible_lint
 
 - name: Check for '!authenticate' in sudoers files
-  shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
+  ansible.builtin.shell: grep -ir '\!authenticate' /etc/sudoers /etc/sudoers.d/ || echo 'not found'
   register: sudoers_authenticate_check
   changed_when: false
   tags:
@@ -156,7 +156,7 @@
     - skip_ansible_lint
 
 - name: Check if sssd.conf exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/sssd/sssd.conf
   register: sssd_conf_check
   check_mode: false
@@ -166,7 +166,7 @@
 # NOTE(mhayden): Some systems, such as ARM, don't have grub at all. This task
 # should be skipped on those systems.
 - name: Check if GRUB2 custom file exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ grub_custom_file }}"
   register: grub_custom_file_check
   check_mode: false
@@ -176,7 +176,7 @@
 - name: Set a GRUB 2 password for single-user/maintenance modes
   block:
     - name: Define password options for grub
-      blockinfile:
+      ansible.builtin.blockinfile:
         path: "{{ grub_custom_file }}"
         insertbefore: EOF
         marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@@ -187,7 +187,7 @@
       notify:
         - Update grub config
     - name: Set CLASS for grub file
-      lineinfile:
+      ansible.builtin.lineinfile:
         path: "{{ grub_linux_file }}"
         regexp: "^CLASS=.*"
         line: 'CLASS="--class gnu-linux --class gnu --class os --unrestricted"'
@@ -205,7 +205,7 @@
     - V-71963
 
 - name: V-72217 - The operating system must limit the number of concurrent sessions to 10 for all accounts and/or account types.
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/security/limits.d/ansible-hardening-maxlogins.conf
     create: true
     mode: "0644"
@@ -221,7 +221,7 @@
     - V-72217
 
 - name: Check for pam_lastlog in PAM configuration
-  command: "grep pam_lastlog {{ pam_postlogin_file }}"
+  ansible.builtin.command: "grep pam_lastlog {{ pam_postlogin_file }}"
   register: pam_lastlog_check
   changed_when: false
   failed_when: false
@@ -230,7 +230,7 @@
     - always
 
 - name: V-72275 - Display date/time of last logon after logon
-  debug:
+  ansible.builtin.debug:
     msg: >
       The 'pam_lastlog' directive is missing in {{ pam_postlogin_file }}.
       This is required by V-72275.
@@ -242,7 +242,7 @@
     - V-72275
 
 - name: Ensure .shosts find has finished
-  async_status:
+  ansible.builtin.async_status:
     jid: "{{ shosts_find.ansible_job_id }}"
   failed_when: false
   changed_when: false
@@ -258,7 +258,7 @@
     - V-72279
 
 - name: Remove .shosts or shosts.equiv files
-  file:
+  ansible.builtin.file:
     path: "{{ item.path }}"
     state: absent
   with_items: "{{ job_result.files }}"

tasks/rhel7stig/dnf.yml

@@ -14,10 +14,10 @@
 # limitations under the License.
 
 - name: Including rpm tasks
-  include_tasks: rpm.yml
+  ansible.builtin.include_tasks: rpm.yml
 
 - name: Check if /etc/dnf/automatic.conf exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/dnf/automatic.conf
   check_mode: false
   register: dnf_automatic_config_check
@@ -28,7 +28,7 @@
     - always
 
 - name: Enable automatic package updates (dnf)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/dnf/automatic.conf
     regexp: "^apply_updates"
     line: "apply_updates = yes"
@@ -77,7 +77,7 @@
     - skip_ansible_lint
 
 - name: Enable dnf automatic timer for automatic package updates
-  systemd:
+  ansible.builtin.systemd:
     name: "{{ dnf_automatic_timer }}"
     enabled: true
     state: started

tasks/rhel7stig/file_perms.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: V-71849 - Get packages with incorrect file permissions or ownership
-  shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
+  ansible.builtin.shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
   register: rpmverify_package_list
   changed_when: false
   when:
@@ -47,7 +47,7 @@
     - skip_ansible_lint
 
 - name: Search for files/directories with an invalid owner
-  command: find / -xdev -nouser -fstype local # noqa: command-instead-of-module
+  ansible.builtin.command: find / -xdev -nouser -fstype local
   register: invalid_owner_files
   changed_when: false
   when:
@@ -56,7 +56,7 @@
     - always
 
 - name: V-72007 - All files and directories must have a valid owner.
-  debug:
+  ansible.builtin.debug:
     msg: |
       Files and directories were found that are owned by an invalid user:
       {{ invalid_owner_files.stdout_lines | join('\n') }}
@@ -70,7 +70,7 @@
     - V-72007
 
 - name: Search for files/directories with an invalid group owner
-  command: find / -xdev -nogroup -fstype local # noqa: command-instead-of-module
+  ansible.builtin.command: find / -xdev -nogroup -fstype local
   register: invalid_group_owner_files
   changed_when: false
   when:
@@ -79,7 +79,7 @@
     - always
 
 - name: V-72009 - All files and directories must have a valid group owner.
-  debug:
+  ansible.builtin.debug:
     msg: |
       Files and directories were found that are owned by an invalid group:
       {{ invalid_group_owner_files.stdout_lines | join('\n') }}
@@ -93,7 +93,7 @@
     - V-72009
 
 - name: Set proper owner, group owner, and permissions on home directories
-  file:
+  ansible.builtin.file:
     dest: "{{ item.dir }}"
     owner: "{{ item.name }}"
     group: "{{ item.group.name }}"
@@ -111,7 +111,7 @@
     - V-72021
 
 - name: Find all world-writable directories
-  shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe
+  ansible.builtin.shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root"
   register: world_writable_dirs
   changed_when: false
   failed_when: false
@@ -122,7 +122,7 @@
     - always
 
 - name: V-72047 - All world-writable directories must be group-owned by root, sys, bin, or an application group.
-  debug:
+  ansible.builtin.debug:
     msg: |
       The group owners on the following world-writable directories should be examined:
       {{ world_writable_dirs.stdout }}
@@ -135,14 +135,14 @@
     - V-72047
 
 - name: Check if /etc/cron.allow exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/cron.allow
   register: cron_allow_check
   tags:
     - always
 
 - name: Set owner/group owner on /etc/cron.allow
-  file:
+  ansible.builtin.file:
     path: /etc/cron.allow
     owner: root
     group: root

tasks/rhel7stig/graphical.yml

@@ -14,13 +14,13 @@
 # limitations under the License.
 
 - name: Check if gdm is installed and configured
-  stat:
+  ansible.builtin.stat:
     path: /etc/gdm/custom.conf
   register: gdm_conf_check
   check_mode: false
 
 - name: V-71953 - The operating system must not allow an unattended or automatic logon to the system via a graphical user interface
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/gdm/custom.conf
     line: "^AutomaticLoginEnable=true"
     state: absent
@@ -33,7 +33,7 @@
     - V-71953
 
 - name: V-71955 - The operating system must not allow guest logon to the system.
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/gdm/custom.conf
     line: "^TimedLoginEnable=true"
     state: absent
@@ -46,14 +46,14 @@
     - V-71955
 
 - name: Check for dconf profiles
-  stat:
+  ansible.builtin.stat:
     path: /etc/dconf/profile
   register: dconf_check
   tags:
     - always
 
 - name: Create a user profile in dconf
-  copy:
+  ansible.builtin.copy:
     src: dconf-user-profile
     dest: /etc/dconf/profile/user
     mode: "0644"
@@ -67,7 +67,7 @@
     - V-71901
 
 - name: Create dconf directories
-  file:
+  ansible.builtin.file:
     path: "{{ item }}"
     state: directory
     mode: "0755"
@@ -86,7 +86,7 @@
     - V-71901
 
 - name: Configure graphical session locking
-  template:
+  ansible.builtin.template:
     src: dconf-screensaver-lock.j2
     dest: /etc/dconf/db/local.d/00-screensaver
     mode: "0644"
@@ -102,7 +102,7 @@
     - V-71901
 
 - name: Prevent users from changing graphical session locking configurations
-  template:
+  ansible.builtin.template:
     src: dconf-session-user-config-lockout.j2
     dest: /etc/dconf/db/local.d/locks/session
     mode: "0644"
@@ -118,7 +118,7 @@
     - V-71901
 
 - name: Create a GDM profile for displaying a login banner
-  copy:
+  ansible.builtin.copy:
     src: dconf-profile-gdm
     dest: /etc/dconf/profile/gdm
     mode: "0644"
@@ -132,7 +132,7 @@
     - V-71859
 
 - name: Create a GDM keyfile for machine-wide settings
-  template:
+  ansible.builtin.template:
     src: dconf-gdm-banner-message.j2
     dest: "{{ item }}"
     mode: "0644"

tasks/rhel7stig/kernel.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: V-71983 - USB mass storage must be disabled.
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/modprobe.d/ansible-hardening-disable-usb-storage.conf
     line: install usb-storage /bin/true
     create: true
@@ -27,7 +27,7 @@
     - V-71983
 
 - name: Set sysctl configurations
-  sysctl:
+  ansible.posix.sysctl:
     name: "{{ item.name }}"
     value: "{{ item.value }}"
     state: "{{ item.enabled | ternary('present', 'absent') }}"
@@ -51,7 +51,7 @@
     - C-00001
 
 - name: Check kdump service
-  command: systemctl status kdump # noqa: command-instead-of-module
+  ansible.builtin.command: systemctl status kdump
   register: kdump_service_check
   failed_when: kdump_service_check.rc not in [0,3,4]
   changed_when: false
@@ -62,7 +62,7 @@
     - V-72057
 
 - name: V-72057 - Kernel core dumps must be disabled unless needed.
-  service:
+  ansible.builtin.service:
     name: kdump
     state: stopped
     enabled: false
@@ -75,7 +75,7 @@
     - V-72057
 
 - name: Check if FIPS is enabled
-  command: cat /proc/sys/crypto/fips_enabled
+  ansible.builtin.command: cat /proc/sys/crypto/fips_enabled
   register: fips_check
   changed_when: false
   failed_when: false
@@ -86,7 +86,7 @@
     - always
 
 - name: Print a warning if FIPS isn't enabled
-  debug:
+  ansible.builtin.debug:
     msg: >
       FIPS is not enabled at boot time on this server.
       The STIG requires FIPS to be enabled at boot time.
@@ -100,7 +100,7 @@
     - V-72067
 
 - name: V-77821 - Datagram Congestion Control Protocol (DCCP) kernel module must be disabled
-  copy:
+  ansible.builtin.copy:
     src: ansible-hardening-disable-dccp.conf
     dest: /etc/modprobe.d/ansible-hardening-disable-dccp.conf
     mode: "0644"

tasks/rhel7stig/lsm.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Check apparmor_status output
-  command: apparmor_status
+  ansible.builtin.command: apparmor_status
   register: apparmor_status_output
   check_mode: false
   changed_when: false
@@ -32,7 +32,7 @@
 # started apparmor each time. This breaks idempotency and we check
 # systemd's status directly as an alternative.
 - name: Check if apparmor is running
-  command: "systemctl status apparmor" # noqa: command-instead-of-module
+  ansible.builtin.command: "systemctl status apparmor"
   register: systemctl_apparmor_status
   check_mode: false
   changed_when: false
@@ -45,7 +45,7 @@
     - V-71989
 
 - name: Ensure AppArmor is enabled at boot time
-  service:
+  ansible.builtin.service:
     name: apparmor
     enabled: true
   when:
@@ -60,7 +60,7 @@
 # unit will always say AppArmor is dead. This means that the following task
 # will always start the unit every time it runs (which breaks idempotency).
 - name: Ensure AppArmor is running
-  service:
+  ansible.builtin.service:
     name: apparmor
     state: started
   changed_when:
@@ -79,7 +79,7 @@
 # to switch to permissive/enforcing in an online way when SELinux is completely
 # disabled at boot time.
 - name: Ensure SELinux is in enforcing mode on the next reboot
-  selinux:
+  ansible.posix.selinux:
     state: enforcing
     policy: targeted
   register: selinux_status_change
@@ -93,7 +93,7 @@
     - V-71991
 
 - name: Relabel files on next boot if SELinux mode changed
-  file:
+  ansible.builtin.file:
     path: /.autorelabel
     state: touch
     mode: "0644"
@@ -109,7 +109,7 @@
 # NOTE(mhayden): Ansible's find module doesn't support searching for files
 # based on SELinux contexts yet.
 - name: Check for unlabeled device files
-  command: "find /dev -context '*unlabeled_t*'"
+  ansible.builtin.command: "find /dev -context '*unlabeled_t*'"
   register: unlabeled_devices
   changed_when: false
   check_mode: false
@@ -122,7 +122,7 @@
     - V-72039
 
 - name: V-72039 - All system device files must be correctly labeled to prevent unauthorized modification.
-  debug:
+  ansible.builtin.debug:
     msg: |
       Devices were found without SELinux labels:
       {% for device in unlabeled_devices.stdout_lines %}

tasks/rhel7stig/main.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Create temporary directory to hold any temporary files
-  tempfile:
+  ansible.builtin.tempfile:
     state: directory
     suffix: hardening
   register: mktemp_result
@@ -24,7 +24,7 @@
     - always
 
 - name: Set a fact for the temporary directory
-  set_fact:
+  ansible.builtin.set_fact:
     temp_dir: "{{ mktemp_result.path }}"
   changed_when: false
   when:
@@ -35,8 +35,7 @@
 # Some of the tasks in the role may take a long time to run. Let's start them
 # as early as possible so they have time to finish.
 - name: Importing async_tasks tasks
-  import_tasks: async_tasks.yml
+  ansible.builtin.import_tasks: async_tasks.yml
-
 - name: Get user data for all users on the system
   get_users:
     min_uid: 0
@@ -56,7 +55,7 @@
 # NOTE(mhayden): EPEL is only needed for the clamav packages. We should only
 # install EPEL if the deployer asked for clamav to be installed.
 - name: Install EPEL repository
-  yum:
+  ansible.builtin.dnf:
     name: "{{ security_epel_release_package }}"
     state: "{{ security_package_state }}"
   when:
@@ -69,43 +68,43 @@
 # Package installations and removals must come first so that configuration
 # changes can be made later.
 - name: Importing packages tasks
-  import_tasks: packages.yml
+  ansible.builtin.import_tasks: packages.yml
   tags:
     - always
 
 # Package managers are managed first since the changes in these tasks will
 # affect the remainder of the tasks in the role.
 - name: Including OS-specific tasks
-  include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
+  ansible.builtin.include_tasks: "{{ ansible_facts['pkg_mgr'] }}.yml"
 
 # The bulk of the security changes are applied in these tasks. The tasks in
 # each file are tagged with the same name (for example, tasks in `auth.yml`
 # are tagged with `auth`). Also, the tag name matches up with the "STIG
 # Controls by Tag" section of the role documentation.
 - name: Importing accounts tasks
-  import_tasks: accounts.yml
+  ansible.builtin.import_tasks: accounts.yml
 - name: Importing aide tasks
-  import_tasks: aide.yml
+  ansible.builtin.import_tasks: aide.yml
   when: security_rhel7_enable_aide | bool
 - name: Importing auditd tasks
-  import_tasks: auditd.yml
+  ansible.builtin.import_tasks: auditd.yml
 - name: Importing auth tasks
-  import_tasks: auth.yml
+  ansible.builtin.import_tasks: auth.yml
 - name: Importing file_perms tasks
-  import_tasks: file_perms.yml
+  ansible.builtin.import_tasks: file_perms.yml
 - name: Importing graphical tasks
-  import_tasks: graphical.yml
+  ansible.builtin.import_tasks: graphical.yml
 - name: Importing kernel tasks
-  import_tasks: kernel.yml
+  ansible.builtin.import_tasks: kernel.yml
 - name: Importing lsm tasks
-  import_tasks: lsm.yml
+  ansible.builtin.import_tasks: lsm.yml
 - name: Importing misc tasks
-  import_tasks: misc.yml
+  ansible.builtin.import_tasks: misc.yml
 - name: Importing sshd tasks
-  import_tasks: sshd.yml
+  ansible.builtin.import_tasks: sshd.yml
 
 - name: Remove the temporary directory
-  file:
+  ansible.builtin.file:
     path: "{{ temp_dir }}"
     state: absent
   changed_when: false

tasks/rhel7stig/misc.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Check autofs service
-  command: systemctl status autofs # noqa: command-instead-of-module
+  ansible.builtin.command: systemctl status autofs # noqa: command-instead-of-module
   register: autofs_check
   failed_when: autofs_check.rc not in [0,3,4]
   changed_when: false
@@ -23,7 +23,7 @@
     - always
 
 - name: V-71985 - File system automounter must be disabled unless required.
-  service:
+  ansible.builtin.service:
     name: autofs
     state: stopped
     enabled: false
@@ -39,7 +39,7 @@
 #                      https://github.com/ansible/ansible/issues/68680
 # This returns an exit code of 0 if it's running, 3 if it's masked.
 - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
-  systemd:
+  ansible.builtin.systemd:
     name: ctrl-alt-del.target
     enabled: false
   when:
@@ -50,7 +50,7 @@
     - V-71993
 
 - name: V-71993 - The x86 Ctrl-Alt-Delete key sequence must be disabled
-  systemd:
+  ansible.builtin.systemd:
     name: ctrl-alt-del.target
     masked: true
     daemon_reload: true
@@ -62,7 +62,7 @@
     - V-71993
 
 - name: Check for /home on mounted filesystem
-  debug:
+  ansible.builtin.debug:
     msg: |
       The STIG requires that /home is on its own filesystem, but this system
       does not appear to be following the requirement.
@@ -74,7 +74,7 @@
     - V-72059
 
 - name: Check for /var on mounted filesystem
-  debug:
+  ansible.builtin.debug:
     msg: |
       The STIG requires that /var is on its own filesystem, but this system
       does not appear to be following the requirement.
@@ -86,7 +86,7 @@
     - V-72067
 
 - name: Check for /var/log/audit on mounted filesystem
-  debug:
+  ansible.builtin.debug:
     msg: |
       The STIG requires that /var/log/audit is on its own filesystem, but this system
       does not appear to be following the requirement.
@@ -98,7 +98,7 @@
     - V-72063
 
 - name: Check for /tmp on mounted filesystem
-  debug:
+  ansible.builtin.debug:
     msg: |
       The STIG requires that /tmp is on its own filesystem, but this system
       does not appear to be following the requirement.
@@ -110,7 +110,7 @@
     - V-72065
 
 - name: Check if syslog output is being sent to another server
-  command: 'grep "^[^#].*@" /etc/rsyslog.conf'
+  ansible.builtin.command: 'grep "^[^#].*@" /etc/rsyslog.conf'
   register: rsyslog_transmit_check
   changed_when: false
   failed_when: false
@@ -119,7 +119,7 @@
     - always
 
 - name: V-72209 - The system must send rsyslog output to a log aggregation server.
-  debug:
+  ansible.builtin.debug:
     msg: Output from syslog must be sent to another server.
   when:
     - rsyslog_transmit_check is defined
@@ -130,7 +130,7 @@
     - V-72209
 
 - name: Check if ClamAV is installed
-  stat:
+  ansible.builtin.stat:
     path: /usr/bin/clamdscan
   register: clamav_install_check
   changed_when: false
@@ -138,7 +138,7 @@
     - always
 
 - name: Remove 'Example' line from ClamAV configuration files
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item }}"
     regexp: "^Example"
     state: absent
@@ -156,7 +156,7 @@
     - V-72213
 
 - name: Set ClamAV server type as socket
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/clamd.d/scan.conf
     regexp: "^(#)?LocalSocket (.*)$"
     line: "LocalSocket {{ clamav_service_details['socket_path'] }}"
@@ -172,7 +172,7 @@
     - V-72213
 
 - name: Ensure ClamAV socket directory exists
-  file:
+  ansible.builtin.file:
     path: "{{ clamav_service_details['socket_path'] | dirname }}"
     owner: "{{ clamav_service_details['user'] }}"
     group: "{{ clamav_service_details['group'] }}"
@@ -188,7 +188,7 @@
     - V-72213
 
 - name: Allow automatic freshclam updates
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/sysconfig/freshclam
     regexp: "^FRESHCLAM_DELAY"
     state: absent
@@ -203,7 +203,7 @@
     - V-72213
 
 - name: Check if ClamAV update process is already running
-  shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
+  ansible.builtin.shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
   register: freshclam_proc
   changed_when: false
   failed_when: false
@@ -212,7 +212,7 @@
     - always
 
 - name: Update ClamAV database
-  command: freshclam
+  ansible.builtin.command: freshclam
   changed_when: false
   when:
     - freshclam_proc.rc != 0
@@ -226,7 +226,7 @@
     - V-72213
 
 - name: Ensure ClamAV is running
-  service:
+  ansible.builtin.service:
     name: "{{ clamav_service }}"
     state: started
     enabled: true
@@ -243,7 +243,7 @@
 # errors on the command prompt. See LP bug 1736702.
 # TODO(mhayden): Remove this task when the Rocky release is in development.
 - name: Remove old config block for V-72223 from openstack-ansible-security
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/profile
     state: absent
     insertbefore: EOF
@@ -254,7 +254,7 @@
     - V-72223
 
 - name: V-72223 - Set 10 minute timeout on communication sessions
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/profile
     state: present
     insertbefore: EOF
@@ -270,7 +270,7 @@
     - V-72223
 
 - name: Start and enable chrony
-  service:
+  ansible.builtin.service:
     name: "{{ chrony_service }}"
     state: started
     enabled: true
@@ -283,14 +283,14 @@
     - V-72269
 
 - name: Check if chrony configuration file exists
-  stat:
+  ansible.builtin.stat:
     path: "{{ chrony_conf_file }}"
   register: chrony_conf_check
   tags:
     - always
 
 - name: V-72269 - Synchronize system clock (configuration file)
-  template:
+  ansible.builtin.template:
     src: chrony.conf.j2
     dest: "{{ chrony_conf_file }}"
     mode: "0644"
@@ -306,7 +306,7 @@
 
 # Returns 0 if installed, 3 if not installed
 - name: Check firewalld status
-  command: systemctl status firewalld # noqa: command-instead-of-module
+  ansible.builtin.command: systemctl status firewalld
   register: firewalld_status_check
   failed_when: firewalld_status_check.rc not in [0,3,4]
   changed_when: false
@@ -315,7 +315,7 @@
     - always
 
 - name: Ensure firewalld is running and enabled
-  service:
+  ansible.builtin.service:
     name: firewalld
     state: started
     enabled: true
@@ -328,7 +328,7 @@
     - V-72273
 
 - name: Limit new TCP connections to 25/minute and allow bursting to 100
-  command: >-
+  ansible.builtin.command: >-
     firewall-cmd --direct --add-rule ipv4 filter IN_public_allow 0 -m tcp -p tcp -m limit --limit {{
       security_enable_firewalld_rate_limit_per_minute }}/minute --limit-burst {{ security_enable_firewalld_rate_limit_burst }} -j ACCEPT
   register: add_rate_limit_firewalld_rule
@@ -354,7 +354,7 @@
     - skip_ansible_lint
 
 - name: V-72281 - For systems using DNS resolution, at least two name servers must be configured.
-  debug:
+  ansible.builtin.debug:
     msg: |
       Two or more nameservers must be configured in /etc/resolv.conf.
       Nameservers found: {{ nameserver_check.stdout_lines | length }}
@@ -367,7 +367,7 @@
     - V-72281
 
 - name: Check for interfaces in promiscuous mode
-  shell: "set -o pipefail; ip link | grep -i promisc"
+  ansible.builtin.shell: "set -o pipefail; ip link | grep -i promisc"
   register: promiscuous_interface_check
   changed_when: false
   failed_when: false
@@ -376,7 +376,7 @@
     - always
 
 - name: V-72295 - Network interfaces must not be in promiscuous mode.
-  debug:
+  ansible.builtin.debug:
     msg: >
       One or more network interfaces were found to be in promiscuous mode.
       Review all interfaces and disable promiscuous mode.
@@ -388,14 +388,14 @@
     - V-72295
 
 - name: Check for postfix configuration file
-  stat:
+  ansible.builtin.stat:
     path: /etc/postfix/main.cf
   register: postfix_conf_check
   tags:
     - always
 
 - name: V-72297 - Prevent unrestricted mail relaying
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/postfix/main.cf
     regexp: "^smtpd_client_restrictions"
     line: "smtpd_client_restrictions = permit_mynetworks, reject"
@@ -408,7 +408,7 @@
     - V-72297
 
 - name: Check for TFTP server configuration file
-  stat:
+  ansible.builtin.stat:
     path: /etc/xinetd.d/tftp
   register: tftp_config_check
   check_mode: false
@@ -416,7 +416,7 @@
     - always
 
 - name: Check TFTP configuration mode
-  command: "grep server_args /etc/xinetd.d/tftp"
+  ansible.builtin.command: "grep server_args /etc/xinetd.d/tftp"
   register: tftp_secure_check
   changed_when: false
   failed_when: false
@@ -427,7 +427,7 @@
     - always
 
 - name: V-72305 - TFTP must be configured to operate in secure mode
-  debug:
+  ansible.builtin.debug:
     msg: TFTP must be configured to run in secure mode with the '-s' flag.
   when:
     - tftp_config_check.stat.exists
@@ -438,7 +438,7 @@
     - V-72305
 
 - name: Check to see if snmpd config contains public/private
-  command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
+  ansible.builtin.command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
   register: snmp_public_private_check
   changed_when: false
   failed_when: false
@@ -447,7 +447,7 @@
     - always
 
 - name: V-72313 - Change SNMP community strings from default.
-  debug:
+  ansible.builtin.debug:
     msg: >
       Change the SNMP community strings from the defaults of 'public' and
       'private' to meet the requirements of V-72313.

tasks/rhel7stig/packages.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Add packages based on STIG requirements
-  package:
+  ansible.builtin.package:
     name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
     state: "{{ item }}"
   with_items:
@@ -35,7 +35,7 @@
     - V-72307
 
 - name: Remove packages based on STIG requirements
-  package:
+  ansible.builtin.package:
     name: "{{ stig_packages_rhel7 | selectattr('enabled') | selectattr('state', 'equalto', item) | sum(attribute='packages', start=[]) }}"
     state: "{{ item }}"
   with_items:

tasks/rhel7stig/rpm.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Ensure RPM verification task has finished
-  async_status:
+  ansible.builtin.async_status:
     jid: "{{ rpmverify_task.ansible_job_id }}"
   failed_when: false
   changed_when: false
@@ -30,7 +30,7 @@
     - V-71855
 
 - name: V-71855 - Get files with invalid checksums (rpm)
-  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
+  ansible.builtin.shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
   register: invalid_checksum_files
   changed_when: false
   when:
@@ -43,7 +43,7 @@
     - V-71855
 
 - name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
-  debug:
+  ansible.builtin.debug:
     msg: |
       The following files have checksums that differ from the checksum provided
       with their package. Each of these should be verified manually to ensure
@@ -64,7 +64,7 @@
     - V-71855
 
 - name: V-71977 - Require digital signatures for all packages
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ pkg_mgr_config }}"
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
@@ -78,7 +78,7 @@
     - V-71981
 
 - name: V-71987 - Clean requirements/dependencies when removing packages (RedHat)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ pkg_mgr_config }}"
     regexp: "^(#)?clean_requirements_on_remove"
     line: "clean_requirements_on_remove=1"

tasks/rhel7stig/sshd.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: Copy login warning banner
-  copy:
+  ansible.builtin.copy:
     content: "{{ security_login_banner_text }}"
     dest: "{{ security_sshd_banner_file }}"
     owner: root
@@ -27,7 +27,7 @@
     - V-72225
 
 - name: Drop options from SSH config that we manage
-  lineinfile:
+  ansible.builtin.lineinfile:
     path: /etc/ssh/sshd_config
     state: absent
     regexp: "^{{ item.name }}\\s+(?!{{ item.value }})"
@@ -59,7 +59,7 @@
     - V-72263
 
 - name: Adjust ssh server configuration based on STIG requirements
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/ssh/sshd_config
     state: present
     marker: "# {mark} MANAGED BY ANSIBLE-HARDENING"
@@ -97,7 +97,7 @@
     - V-72263
 
 - name: Ensure sshd is enabled at boot time
-  service:
+  ansible.builtin.service:
     name: "{{ ssh_service }}"
     enabled: true
   when:
@@ -108,7 +108,7 @@
     - V-72235
 
 - name: Determine existing public ssh host keys
-  shell: ls /etc/ssh/*.pub
+  ansible.builtin.shell: ls /etc/ssh/*.pub
   register: public_ssh_host_keys
   # The shell command will always report 'changed' so we need to
   # ignore that since this role is supposed to be idempotent.
@@ -118,7 +118,7 @@
     - always
 
 - name: Public host key files must have mode 0644 or less
-  file:
+  ansible.builtin.file:
     path: "{{ item }}"
     mode: "u-xX,g-wxs,o-wxt"
   with_items:
@@ -129,7 +129,7 @@
     - V-72255
 
 - name: Determine existing private ssh host keys
-  shell: ls /etc/ssh/*_key
+  ansible.builtin.shell: ls /etc/ssh/*_key
   register: private_ssh_host_keys
   # The shell command will always report 'changed' so we need to
   # ignore that since this role is supposed to be idempotent
@@ -139,7 +139,7 @@
     - always
 
 - name: Private host key files must have mode 0600 or less
-  file:
+  ansible.builtin.file:
     path: "{{ item }}"
     mode: "u-xX,g-rwxs,o-rwxt"
   with_items:
@@ -150,7 +150,7 @@
     - V-72257
 
 - name: Manage motd in pam.d
-  replace:
+  ansible.builtin.replace:
     path: /etc/pam.d/sshd
     regexp: "^(#\\s)?(session\\s*optional\\s*pam_motd.so.*)$"
     replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'

tasks/rhel7stig/yum.yml

@@ -14,10 +14,10 @@
 # limitations under the License.
 
 - name: Including rpm tasks
-  include_tasks: rpm.yml
+  ansible.builtin.include_tasks: rpm.yml
 
 - name: Check if /etc/yum/yum-cron.conf exists
-  stat:
+  ansible.builtin.stat:
     path: /etc/yum/yum-cron.conf
   check_mode: false
   register: yum_cron_config_check
@@ -27,7 +27,7 @@
     - always
 
 - name: Enable automatic package updates (yum)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/yum/yum-cron.conf
     regexp: "^apply_updates"
     line: "apply_updates = yes"

tasks/rhel7stig/zypper.yml

@@ -15,7 +15,7 @@
 # limitations under the License.
 
 - name: Ensure RPM verification task has finished
-  async_status:
+  ansible.builtin.async_status:
     jid: "{{ rpmverify_task.ansible_job_id }}"
   failed_when: false
   changed_when: false
@@ -31,7 +31,7 @@
     - V-71855
 
 - name: V-71855 - Get files with invalid checksums (rpm)
-  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
+  ansible.builtin.shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
   register: invalid_checksum_files
   changed_when: false
   when:
@@ -43,7 +43,7 @@
     - V-71855
 
 - name: V-71855 - The cryptographic hash of system files and commands must match vendor values (rpm)
-  debug:
+  ansible.builtin.debug:
     msg: |
       The following files have checksums that differ from the checksum provided
       with their package. Each of these should be verified manually to ensure
@@ -63,12 +63,12 @@
     - V-71855
 
 - name: Determine all SUSE repositories
-  shell: ls /etc/zypp/repos.d/*.repo
+  ansible.builtin.shell: ls /etc/zypp/repos.d/*.repo
   changed_when: false
   register: all_zypper_repositories
 
 - name: V-71977 - Require digital signatures for all packages and repositories
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ item }}"
     regexp: "^(#)?\\s*gpgcheck"
     line: "gpgcheck=1"
@@ -84,7 +84,7 @@
     - V-71981
 
 - name: V-71987 - Clean requirements/dependencies when removing packages (SUSE)
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: "{{ pkg_mgr_config }}"
     regexp: "^(#)?\\s*solver\\.cleandepsOnRemove"
     line: "solver.cleandepsOnRemove = true"
@@ -97,7 +97,7 @@
     - V-71987
 
 - name: Enable automatic package updates (SUSE)
-  copy:
+  ansible.builtin.copy:
     src: zypper-autoupdates
     dest: /etc/cron.daily/zypper-autoupdates
     mode: "0750"