From 4995c390a22020454be6625f2bd63c1a04302043 Mon Sep 17 00:00:00 2001

From: Gabe <redhatrises@gmail.com>

Date: Fri, 30 Aug 2019 11:15:22 -0600

Subject: [PATCH 1/5] Remove usage of the SHELL module or get rid of pipe usage

---

 .../no_direct_root_logins/ansible/shared.yml  | 10 ++++-----

 .../ansible/shared.yml                        | 22 +++++++++----------

 .../ansible/shared.yml                        |  4 +---

 .../template_ANSIBLE_service_disabled         | 14 +++++++-----

 4 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml

index 9049733c64..e9a29a24d5 100644

--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml

+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml

@@ -3,13 +3,13 @@

 # strategy = restrict

 # complexity = low

 # disruption = low

-- name: Test for existence /etc/cron.allow

+- name: Test for existence of /etc/securetty

   stat:

     path: /etc/securetty

   register: securetty_empty

 - name: "Direct root Logins Not Allowed"

-  shell: echo > /etc/securetty

-  args:

-    warn: False

-  changed_when: securetty_empty.stat.size > 1

+  copy:

+    dest: /etc/securetty

+    content: ""

+  when: securetty_empty.stat.size > 1

diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml

index 3ec812835f..cee947e8cc 100644

--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml

+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml

@@ -3,27 +3,27 @@

 # strategy = restrict

 # complexity = low

 # disruption = medium

-- name: "Fail if user is not root"

+- name: "Print error message if user is not root"

   fail:

     msg: 'Root account required to read root $PATH'

   when: ansible_user != "root"

+  ignore_errors: true

 - name: "Get root paths which are not symbolic links"

-  shell: |

-    set -o pipefail

-    tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d

-  args:

-    warn: False

-    executable: /bin/bash

+  stat:

+    path: "{{ item }}"

   changed_when: False

   failed_when: False

   register: root_paths

+  with_items: "{{ ansible_env.PATH.split(':') }}"

   when: ansible_user == "root"

-  check_mode: no

 - name: "Disable writability to root directories"

   file:

-    path: "{{ item }}"

+    path: "{{ item.item }}"

     mode: "g-w,o-w"

-  with_items: "{{ root_paths.stdout_lines }}"

-  when: root_paths.stdout_lines is defined

+  with_items: "{{ root_paths.results }}"

+  when:

+    - root_paths.results is defined

+    - item.stat.exists

+    - not item.stat.islnk

diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml

index 7f958e0af5..9a8f91020c 100644

--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml

+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml

@@ -5,9 +5,7 @@

 # disruption = low

 - name: Search for privileged commands

-  shell: |

-    set -o pipefail

-    find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat

+  shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null

   args:

     warn: False

     executable: /bin/bash

diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled

index 69bf69aaea..07bb8fff0c 100644

--- a/shared/templates/template_ANSIBLE_service_disabled

+++ b/shared/templates/template_ANSIBLE_service_disabled

@@ -4,9 +4,10 @@

 # complexity = low

 # disruption = low

 {{%- if init_system == "systemd" %}}

-- name: "Unit Service Exists"

-  shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.service'

+- name: "Unit Service Exists - {{{ DAEMONNAME }}}.service"

+  command: systemctl list-unit-files {{{ DAEMONNAME }}}.service

   register: service_file_exists

+  changed_when: False

   ignore_errors: True

 - name: Disable service {{{ SERVICENAME }}}

@@ -17,11 +18,12 @@

 {{%- if MASK_SERVICE %}}

     masked: "yes"

 {{%- endif %}}

-  when: service_file_exists.rc == 0

+  when: '"{{{ DAEMONNAME }}}.service" in service_file_exists.stdout_lines[1]'

-- name: "Unit Socket Exists"

-  shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket'

+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"

+  command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket

   register: socket_file_exists

+  changed_when: False

   ignore_errors: True

 - name: Disable socket {{{ SERVICENAME }}}

@@ -32,7 +34,7 @@

 {{%- if MASK_SERVICE %}}

     masked: "yes"

 {{%- endif %}}

-  when: socket_file_exists.rc == 0

+  when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'

 {{% elif init_system == "upstart" %}}

 - name: Stop {{{ SERVICENAME }}}

From e268f1e07192a5cf343b6ac36053553d1074bd3b Mon Sep 17 00:00:00 2001

From: Gabe <redhatrises@gmail.com>

Date: Fri, 30 Aug 2019 12:53:40 -0600

Subject: [PATCH 2/5] Use command and mount module instead of shell

- Fixes #4783

---

 .../ansible/shared.yml                        | 20 ++++++++-----------

 ...te_ANSIBLE_mount_option_remote_filesystems | 19 ++++++++----------

 2 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

index 506c3dee31..6982ce293e 100644

--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml

@@ -5,20 +5,16 @@

 # disruption = medium

 - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option"

-  shell: |

-    set -o pipefail

-    grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}'

-  args:

-    warn: False

-    executable: /bin/bash

+  command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET

   register: points_register

   check_mode: no

   changed_when: False

-- name: "Add Kerberos security to mount points"

-  shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab

-  args:

-    warn: False

-  with_items:

-    - "{{ points_register.stdout_lines }}"

+- name: "Add Kerberos security to nfs and nfs4 mount points"

+  mount:

+    path: "{{ item.split()[0] }}"

+    src: "{{ item.split()[1] }}"

+    fstype: "{{ item.split()[2] }}"

+    state: mounted

+    opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p"

   when: (points_register.stdout | length > 0)

diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

index f89c1d7285..f3d6f02d82 100644

--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

@@ -5,19 +5,16 @@

 # disruption = medium

 - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}"

-  shell: |

-    set -o pipefail

-    grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "{{{ MOUNTOPTION }}}" | awk '{print $2}'

-  args:

-    executable: /bin/bash

+  command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n

   register: points_register

   check_mode: no

   changed_when: False

-- name: "Add {{{ MOUNTOPTION }}} to mount points"

-  shell: awk '$2=="{{ item }}"{$4=$4",{{{ MOUNTOPTION }}}"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab

-  args:

-    executable: /bin/bash

-  with_items:

-    - "{{ points_register.stdout_lines }}"

+- name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points"

+  mount:

+    path: "{{ item.split()[0] }}"

+    src: "{{ item.split()[1] }}"

+    fstype: "{{ item.split()[2] }}"

+    state: mounted

+    opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}"

   when: (points_register.stdout | length > 0)

From 189a8962ddfc35a516eb468f7df1b66a55d874a6 Mon Sep 17 00:00:00 2001

From: Gabe <redhatrises@gmail.com>

Date: Fri, 30 Aug 2019 15:18:02 -0600

Subject: [PATCH 3/5] Remove usage of shell module in gpgkey install Ansible

 snippet

---

 .../ansible/shared.yml                         | 18 +++++++++---------

 ...ate_ANSIBLE_mount_option_remote_filesystems |  2 +-

 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml

index 079020f8cd..91a98640ad 100644

--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml

+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml

@@ -14,13 +14,9 @@

 - name: Read signatures in GPG key

   # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10

   {{% if product == "rhel8" -%}}

-  shell: |

-    set -o pipefail

-    gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10

+  command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"

   {{%- else -%}}

-  shell: |

-    set -o pipefail

-    gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10

+  command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"

   {{%- endif %}}

   args:

     warn: False

@@ -29,9 +25,13 @@

   register: gpg_fingerprints

   check_mode: no

+- name: Set Fact - Installed GPG Fingerprints

+  set_fact:

+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"

+

 - name: Set Fact - Valid fingerprints

   set_fact:

-     gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}")

+    gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}")

 - name: Import RedHat GPG key

   rpm_key:

@@ -39,6 +39,6 @@

     key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release

   when:

    - gpg_key_directory_permission.stat.mode <= '0755'

-   - ( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0

-   - gpg_fingerprints.stdout_lines | length > 0

+   - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0

+   - gpg_installed_fingerprints | length > 0

    - ansible_distribution == "RedHat"

diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

index f3d6f02d82..a58d7729ec 100644

--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems

@@ -5,7 +5,7 @@

 # disruption = medium

 - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}"

-  command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n

+  command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n

   register: points_register

   check_mode: no

   changed_when: False

From 047c5d342860745dcc2f80a9f00d30cf25e76348 Mon Sep 17 00:00:00 2001

From: Gabe <redhatrises@gmail.com>

Date: Tue, 3 Sep 2019 14:18:54 -0600

Subject: [PATCH 4/5] Remove shell module usage for rpm verification tasks

- Fixes #4617

---

 .../rpm_verify_hashes/ansible/shared.yml      | 27 ++++++++++++-------

 .../rpm_verify_ownership/ansible/shared.yml   | 11 +++-----

 .../rpm_verify_permissions/ansible/shared.yml | 19 ++++++++-----

 3 files changed, 34 insertions(+), 23 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

index 2a38e43c3b..1ba29992ab 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

@@ -1,6 +1,6 @@

 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv

 # reboot = false

-# strategy = unknown

+# strategy = restrict

 # complexity = high

 # disruption = medium

 - name: "Set fact: Package manager reinstall command (dnf)"

@@ -14,21 +14,30 @@

   when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")

 - name: "Read files with incorrect hash"

-  shell: |

-    set -o pipefail

-    rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}'

+  command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noconfig --noghost

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module

-    executable: /bin/bash

   register: files_with_incorrect_hash

   changed_when: False

   failed_when: files_with_incorrect_hash.rc > 1

   when: (package_manager_reinstall_cmd is defined)

-  check_mode: no

+

+- name: Create list of packages

+  command: rpm -qf "{{ item }}"

+  args:

+    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module

+  with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"

+  register: list_of_packages

+  changed_when: False

+  when:

+    - files_with_incorrect_hash.stdout_lines is defined

+    - (files_with_incorrect_hash.stdout_lines | length > 0)

 - name: "Reinstall packages of files with incorrect hash"

-  shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')"

+  command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"

   args:

     warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager

-  with_items: "{{ files_with_incorrect_hash.stdout_lines }}"

-  when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0))

+  with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"

+  when:

+    - files_with_incorrect_hash.stdout_lines is defined

+    - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0))

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

index 9fd07f8da2..1d9720cb82 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

@@ -4,27 +4,24 @@

 # complexity = high

 # disruption = medium

 - name: "Read list of files with incorrect ownership"

-  shell: |

-    set -o pipefail

-    rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'

+  command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module

-    executable: /bin/bash

   register: files_with_incorrect_ownership

   failed_when: files_with_incorrect_ownership.rc > 1

   changed_when: False

-  check_mode: no

 - name: Create list of packages

   command: rpm -qf "{{ item }}"

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module

-  with_items: "{{ files_with_incorrect_ownership.stdout_lines | unique }}"

+  with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"

   register: list_of_packages

+  changed_when: False

   when: (files_with_incorrect_ownership.stdout_lines | length > 0)

 - name: "Correct file ownership with RPM"

-  command: "rpm --quiet --setugids '{{ item }}'"

+  command: "rpm --setperms '{{ item }}'"

   args:

     warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module

   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

index a22f03a987..149dbf9fb7 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

@@ -4,20 +4,25 @@

 # complexity = high

 # disruption = medium

 - name: "Read list of files with incorrect permissions"

-  shell: |

-    set -o pipefail

-    rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }'

+  command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module

-    executable: /bin/bash

   register: files_with_incorrect_permissions

   failed_when: files_with_incorrect_permissions.rc > 1

   changed_when: False

-  check_mode: no

+

+- name: Create list of packages

+  command: rpm -qf "{{ item }}"

+  args:

+    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module

+  with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"

+  register: list_of_packages

+  changed_when: False

+  when: (files_with_incorrect_permissions.stdout_lines | length > 0)

 - name: "Correct file permissions with RPM"

-  shell: "rpm --setperms $(rpm -qf '{{ item }}')"

+  command: "rpm --setperms '{{ item }}'"

   args:

     warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module

-  with_items: "{{ files_with_incorrect_permissions.stdout_lines }}"

+  with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"

   when: (files_with_incorrect_permissions.stdout_lines | length > 0)

From 83d241dceafb1b8d8829655b0cdeb44af1b01d2a Mon Sep 17 00:00:00 2001

From: Gabe <redhatrises@gmail.com>

Date: Fri, 6 Sep 2019 11:55:18 -0600

Subject: [PATCH 5/5] Fix regex and escape correctly

---

 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml     | 2 +-

 .../rpm_verification/rpm_verify_ownership/ansible/shared.yml  | 4 ++--

 .../rpm_verify_permissions/ansible/shared.yml                 | 2 +-

 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

index 1ba29992ab..0dc09339f4 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml

@@ -26,7 +26,7 @@

   command: rpm -qf "{{ item }}"

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module

-  with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"

+  with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"

   register: list_of_packages

   changed_when: False

   when:

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

index 1d9720cb82..d02508808c 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml

@@ -15,13 +15,13 @@

   command: rpm -qf "{{ item }}"

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module

-  with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"

+  with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"

   register: list_of_packages

   changed_when: False

   when: (files_with_incorrect_ownership.stdout_lines | length > 0)

 - name: "Correct file ownership with RPM"

-  command: "rpm --setperms '{{ item }}'"

+  command: "rpm --quiet --setugids '{{ item }}'"

   args:

     warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module

   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

index 149dbf9fb7..55a37a4235 100644

--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml

@@ -15,7 +15,7 @@

   command: rpm -qf "{{ item }}"

   args:

     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module

-  with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"

+  with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"

   register: list_of_packages

   changed_when: False

   when: (files_with_incorrect_permissions.stdout_lines | length > 0)