updated yamllint, company naming, linting and spacing

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-12-04 11:45:13 +00:00 · 2024-12-04 11:45:13 +00:00 · 2de8a39cdc
commit 2de8a39cdc
parent 1b694832bb
66 changed files with 461 additions and 675 deletions
--- a/tasks/section_5/cis_5.1.x.yml
+++ b/tasks/section_5/cis_5.1.x.yml
@ -1,8 +1,7 @@
 ---

 - name: "5.1.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
-  when:
-    - rhel9cis_rule_5_1_1
+  when: rhel9cis_rule_5_1_1
  tags:
    - level1-server
    - level1-workstation
@ -16,11 +15,10 @@
    path: "/etc/ssh/sshd_config"
    owner: root
    group: root
-    mode: '0600'
+    mode: 'go-rwx'

 - name: "5.1.2 | PATCH | Ensure permissions on SSH private host key files are configured"
-  when:
-    - rhel9cis_rule_5_1_2
+  when: rhel9cis_rule_5_1_2
  tags:
    - level1-server
    - level1-workstation
@ -50,8 +48,7 @@
        label: "{{ item.path }}"

 - name: "5.1.3 | PATCH | Ensure permissions on SSH public host key files are configured"
-  when:
-    - rhel9cis_rule_5_1_3
+  when: rhel9cis_rule_5_1_3
  tags:
    - level1-server
    - level1-workstation
@ -98,7 +95,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKCIPHERS.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -126,7 +123,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SHA1.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -154,7 +151,7 @@
        dest: /etc/crypto-policies/policies/modules/NO-SSHWEAKMACS.pmod
        owner: root
        group: root
-        mode: '0640'
+        mode: 'g-wx,o-rwx'
      notify:
        - Update Crypto Policy
        - Set Crypto Policy
@ -164,8 +161,7 @@
        rhel9cis_crypto_policy_module: "{{ rhel9cis_crypto_policy_module + ':' + 'NO-SSHWEAKMACS' }}"

 - name: "5.1.7 | PATCH | Ensure sshd access is configured"
-  when:
-    - rhel9cis_rule_5_1_7
+  when: rhel9cis_rule_5_1_7
  tags:
    - level1-server
    - level1-workstation
@ -212,8 +208,7 @@
      notify: Restart sshd

 - name: "5.1.8 | PATCH | Ensure sshd Banner is configured"
-  when:
-    - rhel9cis_rule_5_1_8
+  when: rhel9cis_rule_5_1_8
  tags:
    - level1-server
    - level1-workstation
@ -231,8 +226,7 @@
    line: 'Banner /etc/issue.net'

 - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured"
-  when:
-    - rhel9cis_rule_5_1_9
+  when: rhel9cis_rule_5_1_9
  tags:
    - level1-server
    - level1-workstation
@ -262,8 +256,7 @@
      notify: Restart sshd

 - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled"
-  when:
-    - rhel9cis_rule_5_1_10
+  when: rhel9cis_rule_5_1_10
  tags:
    - level2-server
    - level1-workstation
@ -289,8 +282,7 @@
      notify: Restart sshd

 - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled"
-  when:
-    - rhel9cis_rule_5_1_11
+  when: rhel9cis_rule_5_1_11
  tags:
    - level1-server
    - level1-workstation
@ -320,8 +312,7 @@
      notify: Restart sshd

 - name: "5.1.12 | PATCH | Ensure sshd HostbasedAuthentication is disabled"
-  when:
-    - rhel9cis_rule_5_1_12
+  when: rhel9cis_rule_5_1_12
  tags:
    - level1-server
    - level1-workstation
@ -341,8 +332,7 @@
  notify: Restart sshd

 - name: "5.1.13 | PATCH | Ensure sshd IgnoreRhosts is enabled"
-  when:
-    - rhel9cis_rule_5_1_13
+  when: rhel9cis_rule_5_1_13
  tags:
    - level1-server
    - level1-workstation
@ -362,8 +352,7 @@
  notify: Restart sshd

 - name: "5.1.14 | PATCH | Ensure sshd LoginGraceTime is set to one minute or less"
-  when:
-    - rhel9cis_rule_5_1_14
+  when: rhel9cis_rule_5_1_14
  tags:
    - level1-server
    - level1-workstation
@ -379,8 +368,7 @@
  notify: Restart sshd

 - name: "5.1.15 | PATCH | Ensure sshd LogLevel is appropriate"
-  when:
-    - rhel9cis_rule_5_1_15
+  when: rhel9cis_rule_5_1_15
  tags:
    - level1-server
    - level1-workstation
@ -398,8 +386,7 @@
  notify: Restart sshd

 - name: "5.1.16 | PATCH | Ensure sshd MaxAuthTries is set to 4 or less"
-  when:
-    - rhel9cis_rule_5_1_16
+  when: rhel9cis_rule_5_1_16
  tags:
    - level1-server
    - level1-workstation
@ -415,8 +402,7 @@
  notify: Restart sshd

 - name: "5.1.17 | PATCH | Ensure sshd MaxStartups is configured"
-  when:
-    - rhel9cis_rule_5_1_17
+  when: rhel9cis_rule_5_1_17
  tags:
    - level1-server
    - level1-workstation
@ -436,8 +422,7 @@
  notify: Restart sshd

 - name: "5.1.18 | PATCH | Ensure SSH MaxSessions is set to 10 or less"
-  when:
-    - rhel9cis_rule_5_1_18
+  when: rhel9cis_rule_5_1_18
  tags:
    - level1-server
    - level1-workstation
@ -457,8 +442,7 @@
  notify: Restart sshd

 - name: "5.1.19 | PATCH | Ensure sshd PermitEmptyPasswords is disabled"
-  when:
-    - rhel9cis_rule_5_1_19
+  when: rhel9cis_rule_5_1_19
  tags:
    - level1-server
    - level1-workstation
@ -478,8 +462,7 @@
  notify: Restart sshd

 - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled"
-  when:
-    - rhel9cis_rule_5_1_20
+  when: rhel9cis_rule_5_1_20
  tags:
    - level1-server
    - level1-workstation
@ -503,8 +486,7 @@
      notify: Restart sshd

 - name: "5.1.21 | PATCH | Ensure sshd PermitUserEnvironment is disabled"
-  when:
-    - rhel9cis_rule_5_1_21
+  when: rhel9cis_rule_5_1_21
  tags:
    - level1-server
    - level1-workstation
@ -524,8 +506,7 @@
  notify: Restart sshd

 - name: "5.1.22 | PATCH | Ensure SSH PAM is enabled"
-  when:
-    - rhel9cis_rule_5_1_22
+  when: rhel9cis_rule_5_1_22
  tags:
    - level1-server
    - level1-workstation