Add SSH Variables the proper way, condition entries correct.

Signed-off-by: root@DERVISHx <nuno.carvalho@siemens.com>
2025-12-27 23:43:06 +00:00 · 2023-10-17 15:28:13 +01:00 · 2023-10-17 15:28:13 +01:00 · 8c7d8f1423
commit 8c7d8f1423
parent 2dadff76dc 29828974d0
55 changed files with 339 additions and 262 deletions
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -18,7 +18,7 @@
      path: /etc/crontab
      owner: root
      group: root
-      mode: 0600
+      mode: '0600'
  when:
      - rhel9cis_rule_5_1_2
  tags:
@ -34,7 +34,7 @@
      state: directory
      owner: root
      group: root
-      mode: 0700
+      mode: '0700'
  when:
      - rhel9cis_rule_5_1_3
  tags:
@ -50,7 +50,7 @@
      state: directory
      owner: root
      group: root
-      mode: 0700
+      mode: '0700'
  when:
      - rhel9cis_rule_5_1_4
  tags:
@ -66,7 +66,7 @@
      state: directory
      owner: root
      group: root
-      mode: 0700
+      mode: '0700'
  when:
      - rhel9cis_rule_5_1_5
  tags:
@ -81,7 +81,7 @@
      state: directory
      owner: root
      group: root
-      mode: 0700
+      mode: '0700'
  when:
      - rhel9cis_rule_5_1_6
  tags:
@ -96,7 +96,7 @@
      state: directory
      owner: root
      group: root
-      mode: 0700
+      mode: '0700'
  when:
      - rhel9cis_rule_5_1_7
  tags:
@ -124,7 +124,7 @@
            state: '{{ "file" if  rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}'
            owner: root
            group: root
-            mode: 0600
+            mode: '0600'
  when:
      - rhel9cis_rule_5_1_8
  tags:
@ -152,7 +152,7 @@
            state: '{{ "file" if  rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}'
            owner: root
            group: root
-            mode: 0600
+            mode: '0600'
  when:
      - rhel9cis_rule_5_1_9
  tags:
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -5,7 +5,7 @@
      path: "/etc/ssh/sshd_config"
      owner: root
      group: root
-      mode: 0600
+      mode: '0600'
  when:
      - rhel9cis_rule_5_2_1
  tags:
@ -31,7 +31,7 @@
            path: "{{ item.path }}"
            owner: root
            group: root
-            mode: 0600
+            mode: '0600'
        loop: "{{ rhel9cis_5_2_2_ssh_private_host_key.files }}"
        loop_control:
            label: "{{ item.path }}"
@ -60,7 +60,7 @@
            path: "{{ item.path }}"
            owner: root
            group: root
-            mode: 0644
+            mode: '0644'
        loop: "{{ rhel9cis_5_2_3_ssh_public_host_key.files }}"
        loop_control:
            label: "{{ item.path }}"
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@ -97,7 +97,8 @@
            - not rhel9cis_futurepwchgdate_autofix

      - name: "5.6.1.5 | AUDIT | Ensure all users last password change date is in the past | warning count"
-        ansible.builtin.import_tasks: warning_facts.yml
+        ansible.builtin.import_tasks:
+            file: warning_facts.yml
        when:
            - rhel9cis_5_6_1_5_user_list.stdout | length > 0
            - not rhel9cis_futurepwchgdate_autofix
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -50,7 +50,7 @@
      state: "{{ item.state }}"
      marker: "# {mark} - CIS benchmark - Ansible-lockdown"
      create: true
-      mode: 0644
+      mode: '0644'
      block: |
        TMOUT={{ rhel9cis_shell_session_timeout.timeout }}
        export TMOUT
@ -83,10 +83,10 @@
 - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
  block:
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
-        ansible.builtin.lineinfile:
+        ansible.builtin.replace:
            path: "{{ item.path }}"
-            regexp: '(?i)(umask\s*)'
-            line: '{{ item.line }} 027'
+            regexp: (?i)(umask\s+\d\d\d)
+            replace: '{{ item.line }} 027'
        with_items:
            - { path: '/etc/bashrc', line: 'umask' }
            - { path: '/etc/profile', line: 'umask' }
@ -98,12 +98,11 @@
            regexp: '^USERGROUPS_ENAB'
            line: USERGROUPS_ENAB no

-     - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            line: 'session     required            pam_umask.so'
            insertafter: EOF
-
  when:
      - rhel9cis_rule_5_6_5
  tags:
--- a/tasks/section_5/main.yml
+++ b/tasks/section_5/main.yml
@ -3,24 +3,31 @@
 # Access, Authentication, and Authorization

 - name: "SECTION | 5.1 | Configure time-based job schedulers"
-  ansible.builtin.import_tasks: cis_5.1.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.1.x.yml

 - name: "SECTION | 5.2 | Configure SSH Server"
-  ansible.builtin.import_tasks: cis_5.2.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.2.x.yml
  when:
      - "'openssh-server' in ansible_facts.packages"

 - name: "SECTION | 5.3 | Configure privilege escalation"
-  ansible.builtin.import_tasks: cis_5.3.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.3.x.yml

 - name: "SECTION | 5.4 | Configure authselect"
-  ansible.builtin.import_tasks: cis_5.4.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.4.x.yml

 - name: "SECTION | 5.5 | Configure PAM "
-  ansible.builtin.import_tasks: cis_5.5.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.5.x.yml

 - name: "SECTION | 5.6.1.x | Shadow Password Suite Parameters"
-  ansible.builtin.import_tasks: cis_5.6.1.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.6.1.x.yml

 - name: "SECTION | 5.6.x | Misc. User Account Settings"
-  ansible.builtin.import_tasks: cis_5.6.x.yml
+  ansible.builtin.import_tasks:
+      file: cis_5.6.x.yml