From 7c4c3f9e4d2ed97749142a8a6d97d352ddccd514 Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 6 Sep 2024 14:49:41 +0100 Subject: [PATCH] renamed variable and updated tag Signed-off-by: Mark Bolwell --- defaults/main.yml | 2 +- tasks/prelim.yml | 6 +++--- tasks/section_5/cis_5.1.x.yml | 40 +++++++++++++++++------------------ 3 files changed, 24 insertions(+), 24 deletions(-) diff --git a/defaults/main.yml b/defaults/main.yml index c524a55..a246b27 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -750,7 +750,7 @@ rhel9cis_nft_tables_autochaincreate: true # This value, containing the absolute filepath of the produced 'sshd' config file, allows usage of # drop-in files('/etc/ssh/ssh_config.d/{ssh_drop_in_name}.conf', supported by RHEL9) when CIS adopts them. # Otherwise, the default value is '/etc/ssh/ssh_config'. -rhel9_cis_sshd_config_file: /etc/ssh/sshd_config +rhel9cis_sshd_config_file: /etc/ssh/sshd_config ## Controls: ## - 5.1.7 - Ensure SSH access is limited diff --git a/tasks/prelim.yml b/tasks/prelim.yml index 96e9657..78d1771 100644 --- a/tasks/prelim.yml +++ b/tasks/prelim.yml @@ -196,14 +196,14 @@ # Added to ensure ssh drop in file exists if not default /etc/ssh/sshd_config - name: "PRELIM | PATCH | SSH Config file is not exist" when: - - rhel9_cis_sshd_config_file != '/etc/ssh/sshd_config' + - rhel9cis_sshd_config_file != '/etc/ssh/sshd_config' - "'openssh-server' in ansible_facts.packages" tags: - - ssh + - always - level1_server - level1_workstation ansible.builtin.file: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" owner: root group: root mode: '0600' diff --git a/tasks/section_5/cis_5.1.x.yml b/tasks/section_5/cis_5.1.x.yml index b68ae3a..31ba7e2 100644 --- a/tasks/section_5/cis_5.1.x.yml +++ b/tasks/section_5/cis_5.1.x.yml @@ -178,7 +178,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowusers" when: "rhel9cis_sshd_allowusers | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^AllowUsers" line: "AllowUsers {{ rhel9cis_sshd_allowusers }}" validate: sshd -t -f %s @@ -187,7 +187,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for allowgroups" when: "rhel9cis_sshd_allowgroups | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^AllowGroups" line: "AllowGroups {{ rhel9cis_sshd_allowgroups }}" validate: sshd -t -f %s @@ -196,7 +196,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denyusers" when: "rhel9cis_sshd_denyusers | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyUsers" line: "DenyUsers {{ rhel9cis_sshd_denyusers }}" validate: sshd -t -f %s @@ -205,7 +205,7 @@ - name: "5.1.7 | PATCH | Ensure sshd access is configured | Add line to sshd_config for denygroups" when: "rhel9cis_sshd_denygroups | length > 0" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: "^DenyGroups" line: "DenyGroups {{ rhel9cis_sshd_denygroups }}" validate: sshd -t -f %s @@ -226,7 +226,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^Banner' line: 'Banner /etc/issue.net' @@ -247,7 +247,7 @@ block: - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Add line in sshd_config for ClientAliveInterval" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^ClientAliveInterval' line: "ClientAliveInterval {{ rhel9cis_sshd_clientaliveinterval }}" validate: sshd -t -f %s @@ -255,7 +255,7 @@ - name: "5.1.9 | PATCH | Ensure sshd ClientAliveInterval and ClientAliveCountMax are configured | Ensure SSH ClientAliveCountMax set to <= 3" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^ClientAliveCountMax' line: "ClientAliveCountMax {{ rhel9cis_sshd_clientalivecountmax }}" validate: sshd -t -f %s @@ -274,7 +274,7 @@ block: - name: "5.1.10 | PATCH | Ensure sshd DisableForwarding is enabled | config file" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(#|)\s*DisableForwarding line: 'DisableForwarding yes' validate: sshd -t -f %s @@ -313,7 +313,7 @@ - name: "5.1.11 | PATCH | Ensure sshd GSSAPIAuthentication is disabled | ssh config" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*GSSAPIAuthentication line: GSSAPIAuthentication no validate: sshd -t -f %s @@ -334,7 +334,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*HostbasedAuthentication line: 'HostbasedAuthentication no' validate: sshd -t -f %s @@ -355,7 +355,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*IgnoreRhosts line: 'IgnoreRhosts yes' validate: sshd -t -f %s @@ -372,7 +372,7 @@ - rule_5.1.14 - NIST800-53R5_CM-6 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LoginGraceTime line: "LoginGraceTime {{ rhel9cis_sshd_logingracetime }}" validate: sshd -t -f %s @@ -391,7 +391,7 @@ - NIST800-53R5_AU-12 - NIST800-53R5_SI-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*LogLevel line: 'LogLevel {{ rhel9cis_ssh_loglevel }}' validate: sshd -t -f %s @@ -408,7 +408,7 @@ - rule_5.1.16 - NIST800-53R5_AU-3 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: '^(#)?MaxAuthTries \d' line: 'MaxAuthTries {{ rhel9cis_ssh_maxauthtries }}' validate: sshd -t -f %s @@ -429,7 +429,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*MaxStartups line: 'MaxStartups {{ rhel9cis_ssh_maxstartups }}' validate: sshd -t -f %s @@ -450,7 +450,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*MaxSessions line: 'MaxSessions {{ rhel9cis_ssh_maxsessions }}' validate: sshd -t -f %s @@ -471,7 +471,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*PermitEmptyPasswords line: 'PermitEmptyPasswords no' validate: sshd -t -f %s @@ -490,7 +490,7 @@ block: - name: "5.1.20 | PATCH | Ensure sshd PermitRootLogin is disabled | config file" ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*PermitRootLogin line: 'PermitRootLogin no' validate: sshd -t -f %s @@ -517,7 +517,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*PermitUserEnvironment line: 'PermitUserEnvironment no' validate: sshd -t -f %s @@ -538,7 +538,7 @@ - NIST800-53R5_CM-7 - NIST800-53R5_IA-5 ansible.builtin.lineinfile: - path: "{{ rhel9_cis_sshd_config_file }}" + path: "{{ rhel9cis_sshd_config_file }}" regexp: ^(?i)(#|)\s*UsePAM line: 'UsePAM yes' validate: sshd -t -f %s