From baf8987a5fd6817f7115b581f0db76ae6037d3ce Mon Sep 17 00:00:00 2001
From: Bas Meijer <bas.meijer@me.com>
Date: Fri, 9 Feb 2024 22:32:09 +0100
Subject: [PATCH] PermitRootLogin found in
 /etc/ssh/sshd_config.d/01-permitrootlogin.conf

Signed-off-by: Bas Meijer <bas.meijer@me.com>
---
 tasks/section_5/cis_5.2.x.yml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
index 5451cff..659a11d 100644
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@@ -150,11 +150,18 @@
       - rule_5.2.6
 
 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
-  ansible.builtin.lineinfile:
-      path: "{{ rhel9_cis_sshd_config_file }}"
-      regexp: "^#PermitRootLogin|^PermitRootLogin"
-      line: 'PermitRootLogin no'
-      validate: sshd -t -f %s
+  block:
+      - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | config file"
+        ansible.builtin.lineinfile:
+            path: "{{ rhel9_cis_sshd_config_file }}"
+            regexp: "^#PermitRootLogin|^PermitRootLogin"
+            line: 'PermitRootLogin no'
+            validate: sshd -t -f %s
+
+      - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | override file"
+        ansible.builtin.file:
+            path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
+            state: absent
   when:
       - rhel9cis_rule_5_2_7
   tags: