From 6500e39f4265eb7e7f2ebd414c0d4def366585d9 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 3 Oct 2025 08:19:07 +0100
Subject: [PATCH] Added fix for #399 thanks to @trumbaut

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 Changelog.md                  | 2 +-
 tasks/section_5/cis_5.1.x.yml | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/Changelog.md b/Changelog.md
index 4d9dc7c..d4b1b78 100644
--- a/Changelog.md
+++ b/Changelog.md
@@ -6,7 +6,7 @@
 - addressed issue #393 thank you to @fragglexarmy
 - addressed issue #394 thank you to @dbeuker
 - addressed issues #390 and #391 thanks to @polski-g
-- addressed issue #398 thanks to trumbaut
+- addressed issue #398 & #399 thanks to trumbaut
 - Added max-concurrent options for audit
 - work flow updates
 - audit logic improvements
diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml
index 42ca036..dc450ea 100644
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@@ -41,8 +41,8 @@
       ansible.builtin.file:
         path: "{{ item.path }}"
         owner: root
-        group: root
-        mode: 'u-x,go-rwx'
+        group: "{{ 'ssh_keys' if (item.gr_name == 'ssh_keys') else 'root' }}"
+        mode: "{{ 'u-x,g-wx,o-rwx' if (item.gr_name == 'ssh_keys') else 'u-x,go-rwx' }}"
       loop: "{{ discovered_ssh_private_host_key.files }}"
       loop_control:
         label: "{{ item.path }}"