Merge branch 'siemens/feat/ensure_SSH_access_is_limited_5_2_4' into 'siemens/rhel9/devel'

Fix regex with commented entries avoid dupes. See merge request infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/rhel9-cis!6
2025-12-27 15:33:06 +00:00 · 2023-10-17 16:43:21 +02:00 · 2023-10-17 16:43:21 +02:00 · be0a0de9d1
commit be0a0de9d1
parent 29828974d0 d1721f5056
2 changed files with 12 additions and 2 deletions
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -278,7 +278,7 @@
 - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured"
  ansible.builtin.lineinfile:
      path: "{{ rhel9_cis_sshd_config_file }}"
-      regexp: '^Banner'
+      regexp: "^#Banner|^Banner"
      line: 'Banner /etc/issue.net'
  when:
      - rhel9cis_rule_5_2_15
@ -354,7 +354,7 @@
      - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval"
        ansible.builtin.lineinfile:
            path: "{{ rhel9_cis_sshd_config_file }}"
-            regexp: '^ClientAliveInterval'
+            regexp: '^ClientAliveInterval|^#ClientAliveInterval'
            line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}"
            validate: sshd -t -f %s

--- a/vars/RedHat.yml
+++ b/vars/RedHat.yml
@ -6,3 +6,13 @@ os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) <security@redhat.com>

 # disable repo_gpgcheck due to OS default repos
 rhel9cis_rule_enable_repogpg: false
+
+# Vars setup for overiding main.yml
+rhel9cis_sshd:
+    clientalivecountmax: 3
+    clientaliveinterval: 900
+    logingracetime: 60
+    # allowusers: 
+    allowgroups: sshd wheel
+    # denyusers:
+    # denygroups: