fix(cis): add pipefail to sshd version detection and define binary defaults

roles/cis/defaults/main.yml

@@ -1,4 +1,8 @@
 ---
+# Platform-specific binary names for CIS permission targets
+cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
+cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
+
 cis_permission_targets:
   - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
   - { path: "/mnt/etc/cron.hourly", mode: "0700" }

roles/cis/tasks/sshd.yml

@@ -32,7 +32,9 @@
 
 - name: Detect target OpenSSH version
   ansible.builtin.shell: >-
-    {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
+    set -o pipefail && {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
+  args:
+    executable: /bin/bash
   register: cis_sshd_openssh_version
   changed_when: false
   failed_when: false