Add insensitive option to ansible_lineinfile macro #12314
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
do-not-merge/work-in-progress
|
Hi @yunimoo. Thanks for your PR. I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
|
This datastream diff is auto generated by the check Click here to see the trimmed diffansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
create: true
- regexp: ^.*Ciphers\s+
+ regexp: (?i)^.*Ciphers\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
create: true
- regexp: ^.*Ciphers\s+
+ regexp: (?i)^.*Ciphers\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
create: true
- regexp: ^.*Ciphers\s+
+ regexp: (?i)^.*Ciphers\s+
line: Ciphers {{ sshd_approved_ciphers }}
state: present
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
create: true
- regexp: ^.*MACs\s+
+ regexp: (?i)^.*MACs\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
create: true
- regexp: ^.*MACs\s+
+ regexp: (?i)^.*MACs\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/crypto-policies/back-ends/openssh.config
create: true
- regexp: ^.*MACs\s+
+ regexp: (?i)^.*MACs\s+
line: MACs {{ sshd_approved_macs }}
state: present
tags:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
@@ -15,6 +15,7 @@
lineinfile:
path: /etc/security/pwquality.conf
create: true
+ regexp: ''
line: local_users_only
state: present
when: '"pam" in ansible_facts.packages'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
@@ -18,6 +18,7 @@
lineinfile:
path: /etc/security/pwquality.conf
create: true
+ regexp: ''
line: enforce_for_root
state: present
when: '"pam" in ansible_facts.packages'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time' differs.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
@@ -18,7 +18,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: ^\s*set -g lock-after-time\s+
+ regexp: (?i)^\s*set -g lock-after-time\s+
mode: '0644'
state: absent
check_mode: true
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: ^\s*set -g lock-after-time\s+
+ regexp: (?i)^\s*set -g lock-after-time\s+
mode: '0644'
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -38,7 +38,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: ^\s*set -g lock-after-time\s+
+ regexp: (?i)^\s*set -g lock-after-time\s+
mode: '0644'
line: set -g lock-after-time 900
state: present
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command' differs.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: ^\s*set -g lock-command\s+
+ regexp: (?i)^\s*set -g lock-command\s+
mode: '0644'
state: absent
check_mode: true
@@ -32,7 +32,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: ^\s*set -g lock-command\s+
+ regexp: (?i)^\s*set -g lock-command\s+
mode: '0644'
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -41,7 +41,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: ^\s*set -g lock-command\s+
+ regexp: (?i)^\s*set -g lock-command\s+
mode: '0644'
line: set -g lock-command vlock
state: present
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding' differs.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: \s*bind\s+\w\s+lock-session.*$
+ regexp: (?i)\s*bind\s+\w\s+lock-session.*$
mode: '0644'
state: absent
check_mode: true
@@ -38,7 +38,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: \s*bind\s+\w\s+lock-session.*$
+ regexp: (?i)\s*bind\s+\w\s+lock-session.*$
mode: '0644'
state: absent
when:
@@ -59,7 +59,7 @@
lineinfile:
path: /etc/tmux.conf
create: true
- regexp: \s*bind\s+\w\s+lock-session.*$
+ regexp: (?i)\s*bind\s+\w\s+lock-session.*$
mode: '0644'
line: bind X lock-session
state: present
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
@@ -18,7 +18,7 @@
lineinfile:
path: /etc/login.defs
create: true
- regexp: ^\s*CREATE_HOME\s+
+ regexp: (?i)^\s*CREATE_HOME\s+
state: absent
check_mode: true
changed_when: false
@@ -28,7 +28,7 @@
lineinfile:
path: /etc/login.defs
create: true
- regexp: ^\s*CREATE_HOME\s+
+ regexp: (?i)^\s*CREATE_HOME\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -36,7 +36,7 @@
lineinfile:
path: /etc/login.defs
create: true
- regexp: ^\s*CREATE_HOME\s+
+ regexp: (?i)^\s*CREATE_HOME\s+
line: CREATE_HOME yes
state: present
when: '"shadow-utils" in ansible_facts.packages'
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/rsyslog.conf
create: false
- regexp: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
+ regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
state: absent
- name: Check if /etc/rsyslog.d exists
@@ -26,7 +26,7 @@
lineinfile:
path: '{{ item.path }}'
create: false
- regexp: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
+ regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
state: absent
with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
when: _etc_rsyslog_d_has_parameter.matched
@@ -35,7 +35,7 @@
lineinfile:
path: /etc/rsyslog.conf
create: true
- regexp: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
+ regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
line: $ActionSendStreamDriverAuthMode x509/name
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/rsyslog.conf
create: false
- regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ regexp: '(?i)^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
state: absent
- name: Check if /etc/rsyslog.d exists
@@ -26,7 +26,7 @@
lineinfile:
path: '{{ item.path }}'
create: false
- regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ regexp: '(?i)^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
state: absent
with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
when: _etc_rsyslog_d_has_parameter.matched
@@ -35,7 +35,7 @@
lineinfile:
path: /etc/rsyslog.conf
create: true
- regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+ regexp: '(?i)^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
line: $ActionSendStreamDriverMode 1
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/rsyslog.conf
create: false
- regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ regexp: '(?i)^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
state: absent
- name: Check if /etc/rsyslog.d exists
@@ -26,7 +26,7 @@
lineinfile:
path: '{{ item.path }}'
create: false
- regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ regexp: '(?i)^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
state: absent
with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
when: _etc_rsyslog_d_has_parameter.matched
@@ -35,7 +35,7 @@
lineinfile:
path: /etc/rsyslog.conf
create: true
- regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+ regexp: '(?i)^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
line: $DefaultNetstreamDriver gtls
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld-backend' differs.
--- xccdf_org.ssgproject.content_rule_firewalld-backend
+++ xccdf_org.ssgproject.content_rule_firewalld-backend
@@ -20,7 +20,7 @@
lineinfile:
path: /etc/firewalld/firewalld.conf
create: true
- regexp: ^\s*FirewallBackend=
+ regexp: (?i)^\s*FirewallBackend=
state: absent
check_mode: true
changed_when: false
@@ -30,7 +30,7 @@
lineinfile:
path: /etc/firewalld/firewalld.conf
create: true
- regexp: ^\s*FirewallBackend=
+ regexp: (?i)^\s*FirewallBackend=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -38,7 +38,7 @@
lineinfile:
path: /etc/firewalld/firewalld.conf
create: true
- regexp: ^\s*FirewallBackend=
+ regexp: (?i)^\s*FirewallBackend=
line: FirewallBackend=nftables
state: present
insertbefore: ^# FirewallBackend
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUX=
+ regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUX=
+ regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUX=
+ regexp: (?i)^SELINUX=
line: SELINUX=permissive
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUXTYPE=
+ regexp: (?i)^SELINUXTYPE=
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUXTYPE=
+ regexp: (?i)^SELINUXTYPE=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUXTYPE=
+ regexp: (?i)^SELINUXTYPE=
line: SELINUXTYPE={{ var_selinux_policy_name }}
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_state' differs.
--- xccdf_org.ssgproject.content_rule_selinux_state
+++ xccdf_org.ssgproject.content_rule_selinux_state
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUX=
+ regexp: (?i)^SELINUX=
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUX=
+ regexp: (?i)^SELINUX=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/selinux/config
create: true
- regexp: ^SELINUX=
+ regexp: (?i)^SELINUX=
line: SELINUX={{ var_selinux_state }}
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster' differs.
--- xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
+++ xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/aliases
create: true
- regexp: ^\s*postmaster\s*:\s*
+ regexp: (?i)^\s*postmaster\s*:\s*
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/aliases
create: true
- regexp: ^\s*postmaster\s*:\s*
+ regexp: (?i)^\s*postmaster\s*:\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/aliases
create: true
- regexp: ^\s*postmaster\s*:\s*
+ regexp: (?i)^\s*postmaster\s*:\s*
line: 'postmaster: root'
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' differs.
--- xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
+++ xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
@@ -27,7 +27,7 @@
lineinfile:
path: /etc/postfix/main.cf
create: false
- regexp: ^inet_interfaces\s*=\s.*
+ regexp: (?i)^inet_interfaces\s*=\s.*
line: inet_interfaces = {{ var_postfix_inet_interfaces }}
state: present
insertafter: ^inet_interfaces\s*=\s.*
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' differs.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -18,7 +18,7 @@
lineinfile:
path: /etc/postfix/main.cf
create: true
- regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
+ regexp: (?i)^[ \t]*smtpd_client_restrictions\s*=\s*
state: absent
check_mode: true
changed_when: false
@@ -28,7 +28,7 @@
lineinfile:
path: /etc/postfix/main.cf
create: true
- regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
+ regexp: (?i)^[ \t]*smtpd_client_restrictions\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -36,7 +36,7 @@
lineinfile:
path: /etc/postfix/main.cf
create: true
- regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
+ regexp: (?i)^[ \t]*smtpd_client_restrictions\s*=\s*
line: smtpd_client_restrictions = permit_mynetworks,reject
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_client_only' differs.
--- xccdf_org.ssgproject.content_rule_chronyd_client_only
+++ xccdf_org.ssgproject.content_rule_chronyd_client_only
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/chrony.conf
create: true
- regexp: ^\s*port\s+
+ regexp: (?i)^\s*port\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/chrony.conf
create: true
- regexp: ^\s*port\s+
+ regexp: (?i)^\s*port\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/chrony.conf
create: true
- regexp: ^\s*port\s+
+ regexp: (?i)^\s*port\s+
line: port 0
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network' differs.
--- xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
+++ xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/chrony.conf
create: true
- regexp: ^\s*cmdport\s+
+ regexp: (?i)^\s*cmdport\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/chrony.conf
create: true
- regexp: ^\s*cmdport\s+
+ regexp: (?i)^\s*cmdport\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/chrony.conf
create: true
- regexp: ^\s*cmdport\s+
+ regexp: (?i)^\s*cmdport\s+
line: cmdport 0
state: present
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveCountMax\s+
+ regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveCountMax\s+
+ regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveCountMax\s+
+ regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
line: ClientAliveCountMax 0
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveCountMax\s+
+ regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveCountMax\s+
+ regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveCountMax\s+
+ regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveInterval\s+
+ regexp: (?i)(?i)^\s*ClientAliveInterval\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveInterval\s+
+ regexp: (?i)(?i)^\s*ClientAliveInterval\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*ClientAliveInterval\s+
+ regexp: (?i)(?i)^\s*ClientAliveInterval\s+
line: ClientAliveInterval {{ sshd_idle_timeout_value }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*HostbasedAuthentication\s+
+ regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*HostbasedAuthentication\s+
+ regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*HostbasedAuthentication\s+
+ regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
line: HostbasedAuthentication no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Protocol\s+
+ regexp: (?i)(?i)^\s*Protocol\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Protocol\s+
+ regexp: (?i)(?i)^\s*Protocol\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Protocol\s+
+ regexp: (?i)(?i)^\s*Protocol\s+
line: Protocol 2
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Compression\s+
+ regexp: (?i)(?i)^\s*Compression\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Compression\s+
+ regexp: (?i)(?i)^\s*Compression\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Compression\s+
+ regexp: (?i)(?i)^\s*Compression\s+
line: Compression {{ var_sshd_disable_compression }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitEmptyPasswords\s+
+ regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitEmptyPasswords\s+
+ regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitEmptyPasswords\s+
+ regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
line: PermitEmptyPasswords no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*GSSAPIAuthentication\s+
+ regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*GSSAPIAuthentication\s+
+ regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*GSSAPIAuthentication\s+
+ regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
line: GSSAPIAuthentication no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*KerberosAuthentication\s+
+ regexp: (?i)(?i)^\s*KerberosAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*KerberosAuthentication\s+
+ regexp: (?i)(?i)^\s*KerberosAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*KerberosAuthentication\s+
+ regexp: (?i)(?i)^\s*KerberosAuthentication\s+
line: KerberosAuthentication no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PubkeyAuthentication\s+
+ regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PubkeyAuthentication\s+
+ regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PubkeyAuthentication\s+
+ regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
line: PubkeyAuthentication no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*IgnoreRhosts\s+
+ regexp: (?i)(?i)^\s*IgnoreRhosts\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*IgnoreRhosts\s+
+ regexp: (?i)(?i)^\s*IgnoreRhosts\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*IgnoreRhosts\s+
+ regexp: (?i)(?i)^\s*IgnoreRhosts\s+
line: IgnoreRhosts yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*RhostsRSAAuthentication\s+
+ regexp: (?i)(?i)^\s*RhostsRSAAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*RhostsRSAAuthentication\s+
+ regexp: (?i)(?i)^\s*RhostsRSAAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*RhostsRSAAuthentication\s+
+ regexp: (?i)(?i)^\s*RhostsRSAAuthentication\s+
line: RhostsRSAAuthentication no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitRootLogin\s+
+ regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitRootLogin\s+
+ regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitRootLogin\s+
+ regexp: (?i)(?i)^\s*PermitRootLogin\s+
line: PermitRootLogin no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitRootLogin\s+
+ regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitRootLogin\s+
+ regexp: (?i)(?i)^\s*PermitRootLogin\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitRootLogin\s+
+ regexp: (?i)(?i)^\s*PermitRootLogin\s+
line: PermitRootLogin prohibit-password
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*AllowTcpForwarding\s+
+ regexp: (?i)(?i)^\s*AllowTcpForwarding\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*AllowTcpForwarding\s+
+ regexp: (?i)(?i)^\s*AllowTcpForwarding\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*AllowTcpForwarding\s+
+ regexp: (?i)(?i)^\s*AllowTcpForwarding\s+
line: AllowTcpForwarding no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+ regexp: (?i)(?i)^\s*IgnoreUserKnownHosts\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+ regexp: (?i)(?i)^\s*IgnoreUserKnownHosts\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+ regexp: (?i)(?i)^\s*IgnoreUserKnownHosts\s+
line: IgnoreUserKnownHosts yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11Forwarding\s+
+ regexp: (?i)(?i)^\s*X11Forwarding\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11Forwarding\s+
+ regexp: (?i)(?i)^\s*X11Forwarding\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11Forwarding\s+
+ regexp: (?i)(?i)^\s*X11Forwarding\s+
line: X11Forwarding no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitUserEnvironment\s+
+ regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitUserEnvironment\s+
+ regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PermitUserEnvironment\s+
+ regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
line: PermitUserEnvironment no
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*GSSAPIAuthentication\s+
+ regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*GSSAPIAuthentication\s+
+ regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*GSSAPIAuthentication\s+
+ regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
line: GSSAPIAuthentication yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*UsePAM\s+
+ regexp: (?i)(?i)^\s*UsePAM\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*UsePAM\s+
+ regexp: (?i)(?i)^\s*UsePAM\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*UsePAM\s+
+ regexp: (?i)(?i)^\s*UsePAM\s+
line: UsePAM yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PubkeyAuthentication\s+
+ regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PubkeyAuthentication\s+
+ regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PubkeyAuthentication\s+
+ regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
line: PubkeyAuthentication yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*StrictModes\s+
+ regexp: (?i)(?i)^\s*StrictModes\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*StrictModes\s+
+ regexp: (?i)(?i)^\s*StrictModes\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*StrictModes\s+
+ regexp: (?i)(?i)^\s*StrictModes\s+
line: StrictModes yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Banner\s+
+ regexp: (?i)(?i)^\s*Banner\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Banner\s+
+ regexp: (?i)(?i)^\s*Banner\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Banner\s+
+ regexp: (?i)(?i)^\s*Banner\s+
line: Banner /etc/issue
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Banner\s+
+ regexp: (?i)(?i)^\s*Banner\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Banner\s+
+ regexp: (?i)(?i)^\s*Banner\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Banner\s+
+ regexp: (?i)(?i)^\s*Banner\s+
line: Banner /etc/issue.net
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11Forwarding\s+
+ regexp: (?i)(?i)^\s*X11Forwarding\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11Forwarding\s+
+ regexp: (?i)(?i)^\s*X11Forwarding\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11Forwarding\s+
+ regexp: (?i)(?i)^\s*X11Forwarding\s+
line: X11Forwarding yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PrintLastLog\s+
+ regexp: (?i)(?i)^\s*PrintLastLog\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PrintLastLog\s+
+ regexp: (?i)(?i)^\s*PrintLastLog\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*PrintLastLog\s+
+ regexp: (?i)(?i)^\s*PrintLastLog\s+
line: PrintLastLog yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -16,7 +16,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*RekeyLimit\s+
+ regexp: (?i)(?i)^\s*RekeyLimit\s+
state: absent
check_mode: true
changed_when: false
@@ -26,7 +26,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*RekeyLimit\s+
+ regexp: (?i)(?i)^\s*RekeyLimit\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -34,7 +34,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*RekeyLimit\s+
+ regexp: (?i)(?i)^\s*RekeyLimit\s+
line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LoginGraceTime\s+
+ regexp: (?i)(?i)^\s*LoginGraceTime\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LoginGraceTime\s+
+ regexp: (?i)(?i)^\s*LoginGraceTime\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LoginGraceTime\s+
+ regexp: (?i)(?i)^\s*LoginGraceTime\s+
line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LogLevel\s+
+ regexp: (?i)(?i)^\s*LogLevel\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LogLevel\s+
+ regexp: (?i)(?i)^\s*LogLevel\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LogLevel\s+
+ regexp: (?i)(?i)^\s*LogLevel\s+
line: LogLevel INFO
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LogLevel\s+
+ regexp: (?i)(?i)^\s*LogLevel\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LogLevel\s+
+ regexp: (?i)(?i)^\s*LogLevel\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*LogLevel\s+
+ regexp: (?i)(?i)^\s*LogLevel\s+
line: LogLevel VERBOSE
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxAuthTries\s+
+ regexp: (?i)(?i)^\s*MaxAuthTries\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxAuthTries\s+
+ regexp: (?i)(?i)^\s*MaxAuthTries\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxAuthTries\s+
+ regexp: (?i)(?i)^\s*MaxAuthTries\s+
line: MaxAuthTries {{ sshd_max_auth_tries_value }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxSessions\s+
+ regexp: (?i)(?i)^\s*MaxSessions\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxSessions\s+
+ regexp: (?i)(?i)^\s*MaxSessions\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxSessions\s+
+ regexp: (?i)(?i)^\s*MaxSessions\s+
line: MaxSessions {{ var_sshd_max_sessions }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxStartups\s+
+ regexp: (?i)(?i)^\s*MaxStartups\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxStartups\s+
+ regexp: (?i)(?i)^\s*MaxStartups\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MaxStartups\s+
+ regexp: (?i)(?i)^\s*MaxStartups\s+
line: MaxStartups {{ var_sshd_set_maxstartups }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
+++ xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Ciphers\s+
+ regexp: (?i)(?i)^\s*Ciphers\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Ciphers\s+
+ regexp: (?i)(?i)^\s*Ciphers\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*Ciphers\s+
+ regexp: (?i)(?i)^\s*Ciphers\s+
line: Ciphers {{ sshd_approved_ciphers }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*UsePrivilegeSeparation\s+
+ regexp: (?i)(?i)^\s*UsePrivilegeSeparation\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*UsePrivilegeSeparation\s+
+ regexp: (?i)(?i)^\s*UsePrivilegeSeparation\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*UsePrivilegeSeparation\s+
+ regexp: (?i)(?i)^\s*UsePrivilegeSeparation\s+
line: UsePrivilegeSeparation {{ var_sshd_priv_separation }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*KexAlgorithms\s+
+ regexp: (?i)(?i)^\s*KexAlgorithms\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*KexAlgorithms\s+
+ regexp: (?i)(?i)^\s*KexAlgorithms\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*KexAlgorithms\s+
+ regexp: (?i)(?i)^\s*KexAlgorithms\s+
line: KexAlgorithms {{ sshd_strong_kex }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -11,7 +11,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MACs\s+
+ regexp: (?i)(?i)^\s*MACs\s+
state: absent
check_mode: true
changed_when: false
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MACs\s+
+ regexp: (?i)(?i)^\s*MACs\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*MACs\s+
+ regexp: (?i)(?i)^\s*MACs\s+
line: MACs {{ sshd_strong_macs }}
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
@@ -6,7 +6,7 @@
lineinfile:
path: /etc/sysconfig/sshd
create: true
- regexp: ^\s*SSH_USE_STRONG_RNG=
+ regexp: (?i)^\s*SSH_USE_STRONG_RNG=
state: absent
check_mode: true
changed_when: false
@@ -16,7 +16,7 @@
lineinfile:
path: /etc/sysconfig/sshd
create: true
- regexp: ^\s*SSH_USE_STRONG_RNG=
+ regexp: (?i)^\s*SSH_USE_STRONG_RNG=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -24,7 +24,7 @@
lineinfile:
path: /etc/sysconfig/sshd
create: true
- regexp: ^\s*SSH_USE_STRONG_RNG=
+ regexp: (?i)^\s*SSH_USE_STRONG_RNG=
line: SSH_USE_STRONG_RNG=32
state: present
insertbefore: ^# SSH_USE_STRONG_RNG
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -5,7 +5,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11UseLocalhost\s+
+ regexp: (?i)(?i)^\s*X11UseLocalhost\s+
state: absent
check_mode: true
changed_when: false
@@ -15,7 +15,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11UseLocalhost\s+
+ regexp: (?i)(?i)^\s*X11UseLocalhost\s+
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -23,7 +23,7 @@
lineinfile:
path: /etc/ssh/sshd_config
create: true
- regexp: (?i)^\s*X11UseLocalhost\s+
+ regexp: (?i)(?i)^\s*X11UseLocalhost\s+
line: X11UseLocalhost yes
state: present
insertbefore: BOF
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -21,7 +21,7 @@
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
- regexp: ^\s*AuditBackend=
+ regexp: (?i)^\s*AuditBackend=
state: absent
check_mode: true
changed_when: false
@@ -31,7 +31,7 @@
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
- regexp: ^\s*AuditBackend=
+ regexp: (?i)^\s*AuditBackend=
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -39,7 +39,7 @@
lineinfile:
path: /etc/usbguard/usbguard-daemon.conf
create: true
- regexp: ^\s*AuditBackend=
+ regexp: (?i)^\s*AuditBackend=
line: AuditBackend=LinuxAudit
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid
@@ -2,6 +2,7 @@
lineinfile:
path: /etc/usbguard/rules.conf
create: true
+ regexp: ''
line: allow with-interface match-all { 03:*:* }
state: present
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
@@ -2,6 +2,7 @@
lineinfile:
path: /etc/usbguard/rules.conf
create: true
+ regexp: ''
line: allow with-interface match-all { 03:*:* 09:00:* }
state: present
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hub' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hub
@@ -2,6 +2,7 @@
lineinfile:
path: /etc/usbguard/rules.conf
create: true
+ regexp: ''
line: allow with-interface match-all { 09:00:* }
state: present
when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_freq' differs.
--- xccdf_org.ssgproject.content_rule_auditd_freq
+++ xccdf_org.ssgproject.content_rule_auditd_freq
@@ -18,7 +18,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*freq\s*=\s*
+ regexp: (?i)(?i)^\s*freq\s*=\s*
state: absent
check_mode: true
changed_when: false
@@ -28,7 +28,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*freq\s*=\s*
+ regexp: (?i)(?i)^\s*freq\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -36,7 +36,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*freq\s*=\s*
+ regexp: (?i)(?i)^\s*freq\s*=\s*
line: freq = 50
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_local_events' differs.
--- xccdf_org.ssgproject.content_rule_auditd_local_events
+++ xccdf_org.ssgproject.content_rule_auditd_local_events
@@ -19,7 +19,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*local_events\s*=\s*
+ regexp: (?i)(?i)^\s*local_events\s*=\s*
state: absent
check_mode: true
changed_when: false
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*local_events\s*=\s*
+ regexp: (?i)(?i)^\s*local_events\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -37,7 +37,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*local_events\s*=\s*
+ regexp: (?i)(?i)^\s*local_events\s*=\s*
line: local_events = yes
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_log_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_log_format
+++ xccdf_org.ssgproject.content_rule_auditd_log_format
@@ -20,7 +20,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*log_format\s*=\s*
+ regexp: (?i)(?i)^\s*log_format\s*=\s*
state: absent
check_mode: true
changed_when: false
@@ -30,7 +30,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*log_format\s*=\s*
+ regexp: (?i)(?i)^\s*log_format\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -38,7 +38,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*log_format\s*=\s*
+ regexp: (?i)(?i)^\s*log_format\s*=\s*
line: log_format = ENRICHED
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_name_format
+++ xccdf_org.ssgproject.content_rule_auditd_name_format
@@ -46,7 +46,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*name_format\s*=\s*
+ regexp: (?i)(?i)^\s*name_format\s*=\s*
state: absent
check_mode: true
changed_when: false
@@ -56,7 +56,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*name_format\s*=\s*
+ regexp: (?i)(?i)^\s*name_format\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -64,7 +64,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*name_format\s*=\s*
+ regexp: (?i)(?i)^\s*name_format\s*=\s*
line: name_format = {{ auditd_name_format_split }}
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_overflow_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_overflow_action
+++ xccdf_org.ssgproject.content_rule_auditd_overflow_action
@@ -19,7 +19,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*overflow_action\s*=\s*
+ regexp: (?i)(?i)^\s*overflow_action\s*=\s*
state: absent
check_mode: true
changed_when: false
@@ -29,7 +29,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*overflow_action\s*=\s*
+ regexp: (?i)(?i)^\s*overflow_action\s*=\s*
state: absent
when: dupes.found is defined and dupes.found > 1
@@ -37,7 +37,7 @@
lineinfile:
path: /etc/audit/auditd.conf
create: true
- regexp: (?i)^\s*overflow_action\s*=\s*
+ regexp: (?i)(?i)^\s*overflow_action\s*=\s*
line: overflow_action = syslog
state: present
when:
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_write_logs' differs.
--- xccdf_org.ssgproject.content_rule_auditd_write_logs
+++ xccdf_org.ssg
... The diff is trimmed here ... |
openshift-ci
bot
removed
the
do-not-merge/work-in-progress
|
🤖 A k8s content image for this PR is available at: Click here to see how to deploy itIf you alread have Compliance Operator deployed: Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and: |
jan-cerny
approved these changes
Aug 26, 2024
|
Code Climate has analyzed commit 9ee077e and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 59.4% (0.0% change). View more on Code Climate. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description:
insensitiveoption toansible_lineinfile,ansible_only_lineinfileandansible_set_config_file_dirmacros(?i)for case insensitivity on regex ifinsensitiveoption is enabledinsensitiveoption is default tofalseRationale:
set_config_filemacro, which would be helpful to have for AnsibleReview Hints:
Build the product and test