ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-24 14:23:05 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 3

Check for existence of sshd_config.d/50-redhat.conf before trying to modify it

Browse source 
Signed-off-by: polski-g <polski_g@sent.at>
This commit is contained in:
polski_g 2025-05-08 11:17:29 -04:00 committed by polski-g
parent 9ee1498c98
commit f564135e72
No known key found for this signature in database
GPG key ID: C077F64D3FFD4D39
2 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

8
tasks/prelim.yml
View file

@ -246,6 +246,14 @@
mode: 'go-rwx'
state: touch
- name: "PRELIM | PATCH | sshd_config.d/50-redhat.conf exists"
when:
- rhel9cis_rule_5_1_10 or
rhel9cis_rule_5_1_11
ansible.builtin.stat:
path: /etc/ssh/sshd_config.d/50-redhat.conf
register: discovered_sshd_50_redhat_file
- name: "PRELIM | AUDIT | Capture pam security related files"
tags: always
ansible.builtin.find:

2
tasks/section_5/cis_5.1.x.yml
View file

@ -276,6 +276,7 @@
notify: Restart sshd
- name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | override"
when: discovered_sshd_50_redhat_file.stat.exists
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf
regexp: ^(?i)(#|)\s*X11Forwarding
@ -298,6 +299,7 @@
- NIST800-53R5_IA-5
block:
- name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | redhat file"
when: discovered_sshd_50_redhat_file.stat.exists
ansible.builtin.lineinfile:
path: /etc/ssh/sshd_config.d/50-redhat.conf
regexp: ^(?i)(#|)\s*GSSAPIAuthentication