sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(cis): add pipefail to sshd version detection and define binary defaults

Browse Source
This commit is contained in:
Sandwich
2026-02-20 22:24:14 +01:00
parent a1fbb7c21d
commit 65c5b1029b
2 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
roles/cis/defaults/main.yml
View File

@@ -1,4 +1,8 @@
--- ---
# Platform-specific binary names for CIS permission targets
cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
cis_permission_targets: cis_permission_targets:
- { path: "/mnt/etc/ssh/sshd_config", mode: "0600" } - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
- { path: "/mnt/etc/cron.hourly", mode: "0700" } - { path: "/mnt/etc/cron.hourly", mode: "0700" }

4
roles/cis/tasks/sshd.yml
View File

@@ -32,7 +32,9 @@
- name: Detect target OpenSSH version - name: Detect target OpenSSH version
ansible.builtin.shell: >- ansible.builtin.shell: >-
{{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+' set -o pipefail && {{ chroot_command }} ssh -V 2>&1 | grep -oP 'OpenSSH_\K[0-9]+\.[0-9]+'
args:
executable: /bin/bash
register: cis_sshd_openssh_version register: cis_sshd_openssh_version
changed_when: false changed_when: false
failed_when: false failed_when: false