Use pipefail for shell module

It's not safe to run pipes without pipefail, but for some cases we
expect it to fail and working this around. In such case we ignore rule

Depends-On: https://review.opendev.org/c/openstack/openstack-ansible-tests/+/784751
Change-Id: I79a630ebe8ff54bc9f4600e1f3c0fda653cc4b71

tasks/rhel7stig/apt.yml

@@ -28,7 +28,7 @@
     - not check_mode | bool
 
 - name: V-71855 - Get files with invalid checksums (apt)
-  shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'"
+  shell: "grep -v OK$ {{ temp_dir }}/debsums.txt | awk '{ print $1 }'" # noqa risky-shell-pipe
   register: invalid_checksum_files
   changed_when: False
   when:

tasks/rhel7stig/auth.yml

@@ -106,7 +106,7 @@
 # those lines that have a '#' as the first character or '#' as the first
 # character following a space (or series of spaces).
 - name: Check for 'nopasswd' in sudoers files
-  shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"'
+  shell: 'grep -ir nopasswd /etc/sudoers /etc/sudoers.d/ | egrep -v "^([[:space:]]*)?(#|$)" || echo "not found"' # noqa risky-shell-pipe
   register: sudoers_nopasswd_check
   changed_when: False
   when:

tasks/rhel7stig/file_perms.yml

@@ -14,7 +14,7 @@
 # limitations under the License.
 
 - name: V-71849 - Get packages with incorrect file permissions or ownership
-  shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  shell: "grep '^.M' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
   args:
     warn: no
   register: rpmverify_package_list
@@ -119,7 +119,7 @@
     - V-72021
 
 - name: Find all world-writable directories
-  shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root"
+  shell: "find / -perm -002 -type d -exec ls -lLd {} \\; | tr -s ' ' | cut -d' ' -f 4,9 | grep -v ^root" # noqa risky-shell-pipe
   register: world_writable_dirs
   changed_when: False
   failed_when: False

tasks/rhel7stig/misc.yml

@@ -203,7 +203,7 @@
     - V-72213
 
 - name: Check if ClamAV update process is already running
-  shell: "ps -ef | egrep [f]reshclam -q"
+  shell: "set -o pipefail; ps -ef | egrep [f]reshclam -q"
   register: freshclam_proc
   changed_when: False
   failed_when: False
@@ -364,7 +364,7 @@
     - V-72281
 
 - name: Check for interfaces in promiscuous mode
-  shell: "ip link | grep -i promisc"
+  shell: "set -o pipefail; ip link | grep -i promisc"
   register: promiscuous_interface_check
   changed_when: False
   failed_when: False
@@ -435,7 +435,7 @@
     - V-72305
 
 - name: Check to see if snmpd config contains public/private
-  shell: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
+  command: 'egrep "^[^#].*(public|private)" /etc/snmp/snmpd.conf'
   register: snmp_public_private_check
   changed_when: False
   failed_when: False

tasks/rhel7stig/rpm.yml

@@ -30,7 +30,7 @@
     - V-71855
 
 - name: V-71855 - Get files with invalid checksums (rpm)
-  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
   register: invalid_checksum_files
   changed_when: False
   when:

tasks/rhel7stig/zypper.yml

@@ -31,7 +31,7 @@
     - V-71855
 
 - name: V-71855 - Get files with invalid checksums (rpm)
-  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'"
+  shell: "grep '^..5' {{ temp_dir }}/rpmverify.txt | awk '{ print $NF }'" # noqa risky-shell-pipe
   register: invalid_checksum_files
   changed_when: False
   when: