Merge pull request #329 from ansible-lockdown/Feb25

uk-bolly · web-flow · commit 50b9b2c6e6d3 · 2025-02-11T14:55:42.000+01:00
Feb25
diff --git a/tasks/fix-cat2.yml b/tasks/fix-cat2.yml
@@ -2723,7 +2723,7 @@
 - name: "MEDIUM | RHEL-08-010830 | PATCH | RHEL 8 must not allow users to override SSH environment variables."
   ansible.builtin.lineinfile:
       path: /etc/ssh/sshd_config
-      regexp: '(?i)^#?PermitUserEnvironment'
+      regexp: (?i)^\s*PermitUserEnvironment
       line: 'PermitUserEnvironment no'
       validate: '/usr/sbin/sshd -T -f %s'
   notify: restart sshd
@@ -3286,7 +3286,7 @@
       line: "{{ item.line }}"
   loop:
       - { regexp: '^(?#)\s*StopIdleSessionSec\s*=', line: "StopIdleSessionSec={{ rhel_08_020035_idlesessiontimeout }}" }
-      - { regexp: '^(?#)\s*KillUserProccesses\s*=', line: "KillUserProccesses=no" }
+      - { regexp: '^(?#)\s*KillUserProcesses\s*=', line: "KillUserProcesses=no" }
   notify: Restart_systemdlogin
   when:
       - rhel_08_020035
@@ -6161,30 +6161,12 @@
       "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option."
       "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option."
       "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option."
-  block:
-      - name: |
-            "MEDIUM | RHEL-08-040120 | AUDIT | RHEL 8 must mount /dev/shm with the nodev option."
-            "MEDIUM | RHEL-08-040121 | AUDIT | RHEL 8 must mount /dev/shm with the nosuid option."
-            "MEDIUM | RHEL-08-040122 | AUDIT | RHEL 8 must mount /dev/shm with the noexec option."
-        ansible.builtin.shell: mount | grep /dev/shm
-        changed_when: false
-        failed_when: false
-        register: rhel8stig_040120_dev_shm_status
-
-      - name: |
-            "MEDIUM | RHEL-08-040120 | PATCH | RHEL 8 must mount /dev/shm with the nodev option."
-            "MEDIUM | RHEL-08-040121 | PATCH | RHEL 8 must mount /dev/shm with the nosuid option."
-            "MEDIUM | RHEL-08-040122 | PATCH | RHEL 8 must mount /dev/shm with the noexec option."
-        ansible.posix.mount:
-            path: "{{ item.mount }}"
-            state: mounted
-            src: "{{ item.device }}"
-            fstype: "{{ item.fstype }}"
-            opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}"
-        loop: "{{ ansible_facts.mounts }}"
-        when:
-            - item.mount == '/dev/shm'
-            - rhel8stig_040120_dev_shm_status.stdout | length > 0
+  ansible.posix.mount:
+      path: /dev/shm
+      state: mounted
+      src: tmpfs
+      fstype: tmpfs
+      opts: "defaults{{ rhel_08_040120 | ternary (',nodev', '') }}{{ rhel_08_040121 | ternary (',nosuid', '') }}{{ rhel_08_040122 | ternary (',noexec', '') }}"
   when:
       - rhel_08_040120 or
         rhel_08_040121 or
