Ansible remediation of rsyslog_remote_tls contains unnecessary shell commands

[vojtapolasek]

Description of problem:

Ansible remediation of the rule contains the following tasks:

- name: "Get omfwd configuration directive"
  shell: sed -e '/action\s*(\s*type\s*=\s*"omfwd"/,/)/!d' /etc/rsyslog.conf /etc/rsyslog.d/*.conf
  register: include_omfwd_config_output

and

- name: "Get include files directives"
  shell: >
    set -o pipefail
    echo \"{{ include_omfwd_config_output.stdout }}\"|grep  'StreamDriver=\"gtls\"'
  register: include_omfwd_gtls_config_output
  when: (include_omfwd_config_output.stdout_lines| length > 0)

We try to minimize usage of shell commands within our playbooks. I believe that these commands could be replaced by Ansible modules, e.g. replace.

SCAP Security Guide Version:

Master ace670c

Operating System Version:

RHEL 9

Steps to Reproduce:

1. build RHEL9 datastream
2. oscap xccdf generate fix --fix-type ansible --output /tmp/playbook.yml --profile '(all)' build/ssg-rhel9-ds.xmů
3. search for the rsyslog_remote_tls rule within the playbook.yml and view tasks

Actual Results:

Tasks are using shell module.

Expected Results:

Tasks are not using shell module, but some different Ansible module instead. If it is not possible, it is explained with a comment.

Additional Information/Debugging Steps:

[marcusburghardt]

Just for history, this was the last update in this remediation: #9711

I can confirm they could be replaced by other Ansible modules and even be simplified.
The first task could use replace module or possibly even better, the lineinfile module. It depends on how many lines with the same patter might be present.

The second task is not clear to me the respective context, but it seems it could be replaced by set_fact module.