Blob Blame History Raw
From 4995c390a22020454be6625f2bd63c1a04302043 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Fri, 30 Aug 2019 11:15:22 -0600
Subject: [PATCH 1/5] Remove usage of the SHELL module or get rid of pipe usage

---
 .../no_direct_root_logins/ansible/shared.yml  | 10 ++++-----
 .../ansible/shared.yml                        | 22 +++++++++----------
 .../ansible/shared.yml                        |  4 +---
 .../template_ANSIBLE_service_disabled         | 14 +++++++-----
 4 files changed, 25 insertions(+), 25 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
index 9049733c64..e9a29a24d5 100644
--- a/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-restrictions/root_logins/no_direct_root_logins/ansible/shared.yml
@@ -3,13 +3,13 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: Test for existence /etc/cron.allow
+- name: Test for existence of /etc/securetty
   stat:
     path: /etc/securetty
   register: securetty_empty
 
 - name: "Direct root Logins Not Allowed"
-  shell: echo > /etc/securetty
-  args:
-    warn: False
-  changed_when: securetty_empty.stat.size > 1
+  copy:
+    dest: /etc/securetty
+    content: ""
+  when: securetty_empty.stat.size > 1
diff --git a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml
index 3ec812835f..cee947e8cc 100644
--- a/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/root_paths/accounts_root_path_dirs_no_write/ansible/shared.yml
@@ -3,27 +3,27 @@
 # strategy = restrict
 # complexity = low
 # disruption = medium
-- name: "Fail if user is not root"
+- name: "Print error message if user is not root"
   fail:
     msg: 'Root account required to read root $PATH'
   when: ansible_user != "root"
+  ignore_errors: true
 
 - name: "Get root paths which are not symbolic links"
-  shell: |
-    set -o pipefail
-    tr ":" "\n" <<< "$PATH" | xargs -I% find % -maxdepth 0 -type d
-  args:
-    warn: False
-    executable: /bin/bash
+  stat:
+    path: "{{ item }}"
   changed_when: False
   failed_when: False
   register: root_paths
+  with_items: "{{ ansible_env.PATH.split(':') }}"
   when: ansible_user == "root"
-  check_mode: no
 
 - name: "Disable writability to root directories"
   file:
-    path: "{{ item }}"
+    path: "{{ item.item }}"
     mode: "g-w,o-w"
-  with_items: "{{ root_paths.stdout_lines }}"
-  when: root_paths.stdout_lines is defined
+  with_items: "{{ root_paths.results }}"
+  when:
+    - root_paths.results is defined
+    - item.stat.exists
+    - not item.stat.islnk
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
index 7f958e0af5..9a8f91020c 100644
--- a/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_privileged_commands/audit_rules_privileged_commands/ansible/shared.yml
@@ -5,9 +5,7 @@
 # disruption = low
 
 - name: Search for privileged commands
-  shell: |
-    set -o pipefail
-    find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null | cat
+  shell: find / -xdev -type f -perm -4000 -o -type f -perm -2000 2>/dev/null
   args:
     warn: False
     executable: /bin/bash
diff --git a/shared/templates/template_ANSIBLE_service_disabled b/shared/templates/template_ANSIBLE_service_disabled
index 69bf69aaea..07bb8fff0c 100644
--- a/shared/templates/template_ANSIBLE_service_disabled
+++ b/shared/templates/template_ANSIBLE_service_disabled
@@ -4,9 +4,10 @@
 # complexity = low
 # disruption = low
 {{%- if init_system == "systemd" %}}
-- name: "Unit Service Exists"
-  shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.service'
+- name: "Unit Service Exists - {{{ DAEMONNAME }}}.service"
+  command: systemctl list-unit-files {{{ DAEMONNAME }}}.service
   register: service_file_exists
+  changed_when: False
   ignore_errors: True
 
 - name: Disable service {{{ SERVICENAME }}}
@@ -17,11 +18,12 @@
 {{%- if MASK_SERVICE %}}
     masked: "yes"
 {{%- endif %}}
-  when: service_file_exists.rc == 0
+  when: '"{{{ DAEMONNAME }}}.service" in service_file_exists.stdout_lines[1]'
 
-- name: "Unit Socket Exists"
-  shell: systemctl list-unit-files | grep -q '^{{{ DAEMONNAME }}}.socket'
+- name: "Unit Socket Exists - {{{ DAEMONNAME }}}.socket"
+  command: systemctl list-unit-files {{{ DAEMONNAME }}}.socket
   register: socket_file_exists
+  changed_when: False
   ignore_errors: True
 
 - name: Disable socket {{{ SERVICENAME }}}
@@ -32,7 +34,7 @@
 {{%- if MASK_SERVICE %}}
     masked: "yes"
 {{%- endif %}}
-  when: socket_file_exists.rc == 0
+  when: '"{{{ DAEMONNAME }}}.socket" in socket_file_exists.stdout_lines[1]'
 
 {{% elif init_system == "upstart" %}}
 - name: Stop {{{ SERVICENAME }}}

From e268f1e07192a5cf343b6ac36053553d1074bd3b Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Fri, 30 Aug 2019 12:53:40 -0600
Subject: [PATCH 2/5] Use command and mount module instead of shell

- Fixes #4783
---
 .../ansible/shared.yml                        | 20 ++++++++-----------
 ...te_ANSIBLE_mount_option_remote_filesystems | 19 ++++++++----------
 2 files changed, 16 insertions(+), 23 deletions(-)

diff --git a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
index 506c3dee31..6982ce293e 100644
--- a/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
+++ b/linux_os/guide/services/nfs_and_rpc/nfs_configuring_clients/mounting_remote_filesystems/mount_option_krb_sec_remote_filesystems/ansible/shared.yml
@@ -5,20 +5,16 @@
 # disruption = medium
 
 - name: "Get nfs and nfs4 mount points, that don't have Kerberos security option"
-  shell: |
-    set -o pipefail
-    grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "sec=krb5:krb5i:krb5p" | awk '{print $2}'
-  args:
-    warn: False
-    executable: /bin/bash
+  command: findmnt --fstab --types nfs,nfs4 -O nosec=krb5:krb5i:krb5p -n -o TARGET
   register: points_register
   check_mode: no
   changed_when: False
 
-- name: "Add Kerberos security to mount points"
-  shell: awk '$2=="{{ item }}"{$4=$4",sec=krb5:krb5i:krb5p"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab
-  args:
-    warn: False
-  with_items:
-    - "{{ points_register.stdout_lines }}"
+- name: "Add Kerberos security to nfs and nfs4 mount points"
+  mount:
+    path: "{{ item.split()[0] }}"
+    src: "{{ item.split()[1] }}"
+    fstype: "{{ item.split()[2] }}"
+    state: mounted
+    opts: "{{ item.split()[3] }},sec=krb5:krb5i:krb5p"
   when: (points_register.stdout | length > 0)
diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
index f89c1d7285..f3d6f02d82 100644
--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
@@ -5,19 +5,16 @@
 # disruption = medium
 
 - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}"
-  shell: |
-    set -o pipefail
-    grep -E "[[:space:]]nfs[4]?[[:space:]]" /etc/fstab | grep -v "{{{ MOUNTOPTION }}}" | awk '{print $2}'
-  args:
-    executable: /bin/bash
+  command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n
   register: points_register
   check_mode: no
   changed_when: False
 
-- name: "Add {{{ MOUNTOPTION }}} to mount points"
-  shell: awk '$2=="{{ item }}"{$4=$4",{{{ MOUNTOPTION }}}"}1' /etc/fstab > fstab.tmp && mv fstab.tmp /etc/fstab
-  args:
-    executable: /bin/bash
-  with_items:
-    - "{{ points_register.stdout_lines }}"
+- name: "Add {{{ MOUNTOPTION }}} to nfs and nfs4 mount points"
+  mount:
+    path: "{{ item.split()[0] }}"
+    src: "{{ item.split()[1] }}"
+    fstype: "{{ item.split()[2] }}"
+    state: mounted
+    opts: "{{ item.split()[3] }},{{{ MOUNTOPTION }}}"
   when: (points_register.stdout | length > 0)

From 189a8962ddfc35a516eb468f7df1b66a55d874a6 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Fri, 30 Aug 2019 15:18:02 -0600
Subject: [PATCH 3/5] Remove usage of shell module in gpgkey install Ansible
 snippet

---
 .../ansible/shared.yml                         | 18 +++++++++---------
 ...ate_ANSIBLE_mount_option_remote_filesystems |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
index 079020f8cd..91a98640ad 100644
--- a/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
+++ b/linux_os/guide/system/software/updating/ensure_redhat_gpgkey_installed/ansible/shared.yml
@@ -14,13 +14,9 @@
 - name: Read signatures in GPG key
   # According to /usr/share/doc/gnupg2/DETAILS fingerprints are in "fpr" record in field 10
   {{% if product == "rhel8" -%}}
-  shell: |
-    set -o pipefail
-    gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep -A1 "^pub" | grep "^fpr" | cut -d ":" -f 10
+  command: gpg --show-keys --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
   {{%- else -%}}
-  shell: |
-    set -o pipefail
-    gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release" | grep "^fpr" | cut -d ":" -f 10
+  command: gpg --with-fingerprint --with-colons "/etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"
   {{%- endif %}}
   args:
     warn: False
@@ -29,9 +25,13 @@
   register: gpg_fingerprints
   check_mode: no
 
+- name: Set Fact - Installed GPG Fingerprints
+  set_fact:
+    gpg_installed_fingerprints: "{{ gpg_fingerprints.stdout | regex_findall('^pub.*\n(?:^fpr[:]*)([0-9A-Fa-f]*)', '\\1') | list }}"
+
 - name: Set Fact - Valid fingerprints
   set_fact:
-     gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}")
+    gpg_valid_fingerprints: ("{{{ release_key_fingerprint }}}" "{{{ auxiliary_key_fingerprint }}}")
 
 - name: Import RedHat GPG key
   rpm_key:
@@ -39,6 +39,6 @@
     key: /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
   when:
    - gpg_key_directory_permission.stat.mode <= '0755'
-   - ( gpg_fingerprints.stdout_lines | difference(gpg_valid_fingerprints)) | length == 0
-   - gpg_fingerprints.stdout_lines | length > 0
+   - (gpg_installed_fingerprints | difference(gpg_valid_fingerprints)) | length == 0
+   - gpg_installed_fingerprints | length > 0
    - ansible_distribution == "RedHat"
diff --git a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
index f3d6f02d82..a58d7729ec 100644
--- a/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
+++ b/shared/templates/template_ANSIBLE_mount_option_remote_filesystems
@@ -5,7 +5,7 @@
 # disruption = medium
 
 - name: "Get nfs and nfs4 mount points, that don't have {{{ MOUNTOPTION }}}"
-  command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }} -n
+  command: findmnt --fstab --types nfs,nfs4 -O no{{{ MOUNTOPTION }}} -n
   register: points_register
   check_mode: no
   changed_when: False

From 047c5d342860745dcc2f80a9f00d30cf25e76348 Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Tue, 3 Sep 2019 14:18:54 -0600
Subject: [PATCH 4/5] Remove shell module usage for rpm verification tasks

- Fixes #4617
---
 .../rpm_verify_hashes/ansible/shared.yml      | 27 ++++++++++++-------
 .../rpm_verify_ownership/ansible/shared.yml   | 11 +++-----
 .../rpm_verify_permissions/ansible/shared.yml | 19 ++++++++-----
 3 files changed, 34 insertions(+), 23 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 2a38e43c3b..1ba29992ab 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -1,6 +1,6 @@
 # platform = multi_platform_rhel,multi_platform_fedora,multi_platform_ol,multi_platform_rhv
 # reboot = false
-# strategy = unknown
+# strategy = restrict
 # complexity = high
 # disruption = medium
 - name: "Set fact: Package manager reinstall command (dnf)"
@@ -14,21 +14,30 @@
   when: (ansible_distribution == "RedHat" or ansible_distribution == "OracleLinux")
 
 - name: "Read files with incorrect hash"
-  shell: |
-    set -o pipefail
-    rpm -Va | grep -E '^..5.* /(bin|sbin|lib|lib64|usr)/' | awk '{print $NF}'
+  command: rpm -Va --nodeps --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup --nomode --noconfig --noghost
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect hash using rpm module
-    executable: /bin/bash
   register: files_with_incorrect_hash
   changed_when: False
   failed_when: files_with_incorrect_hash.rc > 1
   when: (package_manager_reinstall_cmd is defined)
-  check_mode: no
+
+- name: Create list of packages
+  command: rpm -qf "{{ item }}"
+  args:
+    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
+  with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"
+  register: list_of_packages
+  changed_when: False
+  when:
+    - files_with_incorrect_hash.stdout_lines is defined
+    - (files_with_incorrect_hash.stdout_lines | length > 0)
 
 - name: "Reinstall packages of files with incorrect hash"
-  shell: "{{ package_manager_reinstall_cmd }} $(rpm -qf '{{ item }}')"
+  command: "{{ package_manager_reinstall_cmd }} '{{ item }}'"
   args:
     warn: False # Ignore ANSIBLE0006, this task is flexible with regards to package manager
-  with_items: "{{ files_with_incorrect_hash.stdout_lines }}"
-  when: (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0))
+  with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
+  when:
+    - files_with_incorrect_hash.stdout_lines is defined
+    - (package_manager_reinstall_cmd is defined and (files_with_incorrect_hash.stdout_lines | length > 0))
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index 9fd07f8da2..1d9720cb82 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -4,27 +4,24 @@
 # complexity = high
 # disruption = medium
 - name: "Read list of files with incorrect ownership"
-  shell: |
-    set -o pipefail
-    rpm -Va --nofiledigest | awk '{ if (substr($0,6,1)=="U" || substr($0,7,1)=="G") print $NF }'
+  command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nomode
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect ownership using rpm module
-    executable: /bin/bash
   register: files_with_incorrect_ownership
   failed_when: files_with_incorrect_ownership.rc > 1
   changed_when: False
-  check_mode: no
 
 - name: Create list of packages
   command: rpm -qf "{{ item }}"
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
-  with_items: "{{ files_with_incorrect_ownership.stdout_lines | unique }}"
+  with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"
   register: list_of_packages
+  changed_when: False
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
 
 - name: "Correct file ownership with RPM"
-  command: "rpm --quiet --setugids '{{ item }}'"
+  command: "rpm --setperms '{{ item }}'"
   args:
     warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
index a22f03a987..149dbf9fb7 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
@@ -4,20 +4,25 @@
 # complexity = high
 # disruption = medium
 - name: "Read list of files with incorrect permissions"
-  shell: |
-    set -o pipefail
-    rpm -Va --nofiledigest | awk '{ if (substr($0,2,1)=="M") print $NF }'
+  command: rpm -Va --nodeps --nosignature --nofiledigest --nosize --nomtime --nordev --nocaps --nolinkto --nouser --nogroup
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch files with incorrect permissions using rpm module
-    executable: /bin/bash
   register: files_with_incorrect_permissions
   failed_when: files_with_incorrect_permissions.rc > 1
   changed_when: False
-  check_mode: no
+
+- name: Create list of packages
+  command: rpm -qf "{{ item }}"
+  args:
+    warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
+  with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"
+  register: list_of_packages
+  changed_when: False
+  when: (files_with_incorrect_permissions.stdout_lines | length > 0)
 
 - name: "Correct file permissions with RPM"
-  shell: "rpm --setperms $(rpm -qf '{{ item }}')"
+  command: "rpm --setperms '{{ item }}'"
   args:
     warn: False # Ignore ANSIBLE0006, we can't correct permissions using rpm module
-  with_items: "{{ files_with_incorrect_permissions.stdout_lines }}"
+  with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
   when: (files_with_incorrect_permissions.stdout_lines | length > 0)

From 83d241dceafb1b8d8829655b0cdeb44af1b01d2a Mon Sep 17 00:00:00 2001
From: Gabe <redhatrises@gmail.com>
Date: Fri, 6 Sep 2019 11:55:18 -0600
Subject: [PATCH 5/5] Fix regex and escape correctly

---
 .../rpm_verification/rpm_verify_hashes/ansible/shared.yml     | 2 +-
 .../rpm_verification/rpm_verify_ownership/ansible/shared.yml  | 4 ++--
 .../rpm_verify_permissions/ansible/shared.yml                 | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
index 1ba29992ab..0dc09339f4 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_hashes/ansible/shared.yml
@@ -26,7 +26,7 @@
   command: rpm -qf "{{ item }}"
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect hash using rpm module
-  with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"
+  with_items: "{{ files_with_incorrect_hash.stdout_lines | map('regex_findall', '^[.]+[5]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
   register: list_of_packages
   changed_when: False
   when:
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
index 1d9720cb82..d02508808c 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_ownership/ansible/shared.yml
@@ -15,13 +15,13 @@
   command: rpm -qf "{{ item }}"
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect ownership using rpm module
-  with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"
+  with_items: "{{ files_with_incorrect_ownership.stdout_lines | map('regex_findall', '^[.]+[U|G]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
   register: list_of_packages
   changed_when: False
   when: (files_with_incorrect_ownership.stdout_lines | length > 0)
 
 - name: "Correct file ownership with RPM"
-  command: "rpm --setperms '{{ item }}'"
+  command: "rpm --quiet --setugids '{{ item }}'"
   args:
     warn: False # Ignore ANSIBLE0006, we can't correct ownership using rpm module
   with_items: "{{ list_of_packages.results | map(attribute='stdout_lines') | list | unique }}"
diff --git a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
index 149dbf9fb7..55a37a4235 100644
--- a/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
+++ b/linux_os/guide/system/software/integrity/software-integrity/rpm_verification/rpm_verify_permissions/ansible/shared.yml
@@ -15,7 +15,7 @@
   command: rpm -qf "{{ item }}"
   args:
     warn: False # Ignore ANSIBLE0006, we can't fetch packages with files with incorrect permissions using rpm module
-  with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\/.*)', '\\1') | map('join') | select('match', '(\/.*)') | list | unique }}"
+  with_items: "{{ files_with_incorrect_permissions.stdout_lines | map('regex_findall', '^[.]+[M]+.* (\\/.*)', '\\1') | map('join') | select('match', '(\\/.*)') | list | unique }}"
   register: list_of_packages
   changed_when: False
   when: (files_with_incorrect_permissions.stdout_lines | length > 0)