Merge pull request #169 from ansible-lockdown/devel

Devel to main
ansible-lockdown · Nov 9, 2023 · c91a103 · c91a103
2 parents 897d71e + 3461d49
commit c91a103
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 5 deletions.
diff --git a/Changelog.md b/Changelog.md
@@ -60,6 +60,18 @@ thanks to @lozzolloz
 - #153
 - #154
 
+thanks to @brisky
+
+- #158
+
+thanks to Jeroen0494
+
+- #161
+
+thanks to @r0bc94
+
+- #164
+
 ### v1.0.6
 
 collections links updates since galaxy-ng changes and older ansible versions not supported

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -893,7 +893,7 @@ ubtu22cis_sshd:
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.
     # For more info, see https://linux.die.net/man/5/sshd_config
     allow_users: ""
-    # (String) This variable, if spcieifed, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
+    # (String) This variable, if specified, configures a list of GROUP name patterns, separated by spaces, to allow SSH access
     # for users whose primary group or supplementary group list matches one of the patterns. This is done
     # by setting the value of `AllowGroups` option in `/etc/ssh/sshd_config` file.
     # The allow/deny directives process order: DenyUsers, AllowUsers, DenyGroups, AllowGroups.

diff --git a/tasks/section_1/cis_1.6.x.yml b/tasks/section_1/cis_1.6.x.yml
@@ -130,6 +130,7 @@
         changed_when: false
         when:
             - ubtu22cis_apparmor_mode == "enforce"
+
       - name: "1.6.1.3 | AUDIT | Ensure all AppArmor Profiles are in enforce or complain | Set ubtu22cis_apparmor_enforce_only false for GOSS"
         ansible.builtin.set_fact:
             ubtu22cis_apparmor_enforce_only: false

diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
@@ -80,31 +80,31 @@
             regexp: '^AllowUsers|^#AllowUsers'
             line: 'AllowUsers {{ ubtu22cis_sshd.allow_users }}'
         notify: restart sshd
-        when: "ubtu22cis_sshd['allow_users']|default('') != ''"
+        when: "ubtu22cis_sshd['allow_users']| default('') | length > 0 "
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add allowed groups"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: '^AllowGroups|^#AllowGroups'
             line: 'AllowGroups {{ ubtu22cis_sshd.allow_groups }}'
         notify: restart sshd
-        when: "ubtu22cis_sshd['allow_groups']|default('') != ''"
+        when: "ubtu22cis_sshd['allow_groups']| default('') | length > 0"
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny users"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: '^DenyUsers|^#DenyUsers'
             line: 'DenyUsers {{ ubtu22cis_sshd.deny_users }} '
         notify: restart sshd
-        when: "ubtu22cis_sshd['deny_users']| length > 0"
+        when: "ubtu22cis_sshd['deny_users']| default('') | length > 0"
 
       - name: "5.2.4 | PATCH | Ensure SSH access is limited | Add deny groups"
         ansible.builtin.lineinfile:
             path: /etc/ssh/sshd_config
             regexp: '^DenyGroups|^#DenyGroups'
             line: 'DenyGroups {{ ubtu22cis_sshd.deny_groups }}'
         notify: restart sshd
-        when: "ubtu22cis_sshd['deny_groups']| length > 0"
+        when: "ubtu22cis_sshd['deny_groups']| default('') | length > 0"
   when:
       - ubtu22cis_rule_5_2_4
   tags: