From 5ab4a1c0ed1f2b637a728b3ce41f7ea501e6a761 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Tue, 17 Oct 2023 13:11:16 +0100 Subject: [PATCH 1/4] Add SSH Variables the proper way, condition entries correct. Signed-off-by: root@DERVISHx --- tasks/section_5/cis_5.2.x.yml | 4 ++-- vars/RedHat.yml | 9 +++++++++ 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index b139a45..181f624 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -354,14 +354,14 @@ - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: path: "{{ rhel9_cis_sshd_config_file }}" - regexp: '^ClientAliveInterval' + regexp: '^ClientAliveInterval|^#ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd['clientaliveinterval'] }}" validate: sshd -t -f %s - name: "5.2.20 | PATCH | Ensure SSH Idle Timeout Interval is configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: path: "{{ rhel9_cis_sshd_config_file }}" - regexp: '^ClientAliveCountMax' + regexp: '^ClientAliveCountMax|^#ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd['clientalivecountmax'] }}" validate: sshd -t -f %s when: diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d33b0bc..41a5de8 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -3,3 +3,12 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" + +rhel9cis_sshd: + clientalivecountmax: 3 + clientaliveinterval: 900 + logingracetime: 60 + # allowusers: + allowgroups: root sshd wheel + # denyusers: + # denygroups: \ No newline at end of file From e4e0b9d0a33ed7c43daf34f2a0aa9455b551de25 Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Tue, 17 Oct 2023 14:17:00 +0100 Subject: [PATCH 2/4] Add SSH Variables the proper way, condition entries correct. Signed-off-by: root@DERVISHx --- tasks/section_5/cis_5.2.x.yml | 2 +- vars/RedHat.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index 181f624..d3dd9ce 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -278,7 +278,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: path: "{{ rhel9_cis_sshd_config_file }}" - regexp: '^Banner' + regexp: '^#Banner|^Banner' line: 'Banner /etc/issue.net' when: - rhel9cis_rule_5_2_15 diff --git a/vars/RedHat.yml b/vars/RedHat.yml index 41a5de8..c9d72ce 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -9,6 +9,6 @@ rhel9cis_sshd: clientaliveinterval: 900 logingracetime: 60 # allowusers: - allowgroups: root sshd wheel + allowgroups: sshd wheel # denyusers: # denygroups: \ No newline at end of file From 2dadff76dc228dc798edd54ac48ee9f91bcdbb4f Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Tue, 17 Oct 2023 15:08:11 +0100 Subject: [PATCH 3/4] Add SSH Variables the proper way, condition entries correct. Signed-off-by: root@DERVISHx --- tasks/section_5/cis_5.2.x.yml | 2 +- vars/RedHat.yml | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml index d3dd9ce..34a8f4c 100644 --- a/tasks/section_5/cis_5.2.x.yml +++ b/tasks/section_5/cis_5.2.x.yml @@ -278,7 +278,7 @@ - name: "5.2.15 | PATCH | Ensure SSH warning banner is configured" ansible.builtin.lineinfile: path: "{{ rhel9_cis_sshd_config_file }}" - regexp: '^#Banner|^Banner' + regexp: "^#Banner|^Banner" line: 'Banner /etc/issue.net' when: - rhel9cis_rule_5_2_15 diff --git a/vars/RedHat.yml b/vars/RedHat.yml index c9d72ce..d94dd21 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,11 +4,13 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" +# Vars setup for overiding main.yml rhel9cis_sshd: +n Redhat Stream. clientalivecountmax: 3 clientaliveinterval: 900 logingracetime: 60 # allowusers: allowgroups: sshd wheel # denyusers: - # denygroups: \ No newline at end of file + # denygroups: From d1721f5056c701a1bbc81e428e444908c0e7878c Mon Sep 17 00:00:00 2001 From: "root@DERVISHx" Date: Tue, 17 Oct 2023 15:33:02 +0100 Subject: [PATCH 4/4] Add SSH Variables the proper way, fix vars. Signed-off-by: root@DERVISHx --- vars/RedHat.yml | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/vars/RedHat.yml b/vars/RedHat.yml index d910330..01c0817 100644 --- a/vars/RedHat.yml +++ b/vars/RedHat.yml @@ -4,10 +4,11 @@ os_gpg_key_pubkey_name: gpg-pubkey-fd431d51-4ae0493b os_gpg_key_pubkey_content: "Red Hat, Inc. (release key 2) fd431d51" -<<<<<<< HEAD +# disable repo_gpgcheck due to OS default repos +rhel9cis_rule_enable_repogpg: false + # Vars setup for overiding main.yml rhel9cis_sshd: -n Redhat Stream. clientalivecountmax: 3 clientaliveinterval: 900 logingracetime: 60 @@ -15,7 +16,3 @@ n Redhat Stream. allowgroups: sshd wheel # denyusers: # denygroups: -======= -# disable repo_gpgcheck due to OS default repos -rhel9cis_rule_enable_repogpg: false ->>>>>>> 29828974d0f17bf0e1a997f99d20f2c042f2b4d5