$ sudo chgrp root /etc/cron.yearly

#!/bin/bash

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-core; then

newgroup=""
if getent group "0" >/dev/null 2>&1; then
  newgroup="0"
fi

if [[ -z "${newgroup}" ]]; then
  >&2 echo "0 is not a defined group on the system"
else
find -P /etc/cron.yearly/ -maxdepth 0 -type d  ! -group 0 -exec chgrp --no-dereference "$newgroup" {} \;

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-88898-2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_groupowner_cron_yearly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_cron_yearly_newgroup variable if represented by gid
  ansible.builtin.set_fact:
    file_groupowner_cron_yearly_newgroup: '0'
  when: '"kernel-core" in ansible_facts.packages'
  tags:
  - CCE-88898-2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_groupowner_cron_yearly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /etc/cron.yearly/
  ansible.builtin.file:
    path: /etc/cron.yearly/
    follow: false
    state: directory
    group: '{{ file_groupowner_cron_yearly_newgroup }}'
  when: '"kernel-core" in ansible_facts.packages'
  tags:
  - CCE-88898-2
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - file_groupowner_cron_yearly
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed