From 65c5b1029bf01799a0391cccf334c92543c2516e Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Fri, 20 Feb 2026 22:24:14 +0100
Subject: [PATCH] fix(cis): add pipefail to sshd version detection and define
 binary defaults

---
 roles/cis/defaults/main.yml | 4 ++++
 roles/cis/tasks/sshd.yml    | 4 +++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/roles/cis/defaults/main.yml b/roles/cis/defaults/main.yml
index 6b3fd64..0a3611b 100644
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -1,4 +1,8 @@
 ---
+# Platform-specific binary names for CIS permission targets
+cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
+cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
+
 cis_permission_targets:
   - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
   - { path: "/mnt/etc/cron.hourly", mode: "0700" }
diff --git a/roles/cis/tasks/sshd.yml b/roles/cis/tasks/sshd.yml
index cee50e9..e22807e 100644
--- a/roles/cis/tasks/sshd.yml
+++ b/roles/cis/tasks/sshd.yml
@@ -32,7 +32,9 @@
 
 - name: Detect target OpenSSH version
   ansible.builtin.shell: >-
-    {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
+    set -o pipefail && {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
+  args:
+    executable: /bin/bash
   register: cis_sshd_openssh_version
   changed_when: false
   failed_when: false