RHEL-07-040350 not applying on RHEL7 Workstations

[JosephHoffman]

Describe the Issue RHEL-07-040350 is not properly applying on RHEL7 Workstations by not uncommenting the #IgnoreRhosts yes in /etc/ssh/sshd_config

Expected Behavior Post running this playbook the line #IgnoreRhosts yes should change to IgnoreRhosts yes

Actual Behavior Regex does not seem to be finding the syntax for #IgnoreRhosts yes

Control(s) Affected RHEL-07-040350

Environment (please complete the following information):

• Ansible Version: 2.9.27
• Host Python Version: 3.6.8
• Ansible Server Python Version: N/A
• Additional Details:

Additional Notes This is configured in fix-cat2.yml line 3420

- name: "MEDIUM | RHEL-07-040350 | PATCH | The Red Hat Enterprise Linux operating system must be configured so that the SSH daemon does not allow authentication using rhosts authentication."
  lineinfile:
      dest: /etc/ssh/sshd_config
      regexp: "(?i)^#?IgnoreRhosts"
      line: IgnoreRhosts yes
      validate: /usr/sbin/sshd -t -f %s
  notify: restart sshd
  when:
      - rhel_07_040350
      - rhel7stig_ssh_required
  tags:
      - RHEL-07-040350
      - CAT2
      - CCI-000366
      - SRG-OS-000480-GPOS-00227
      - SV-204590r603261_rule
      - V-204590
      - ssh

Possible Solution The regex seems to be invalid and needs modification on line 3420 of cat-fix2.yml

Currently: "(?i)^#?IgnoreRhosts" Change to: "^#IgnoreRhosts"

This regex seems to function properly.

[bordenit]

(?i)^#?.?IgnoreRhosts

Would match:

IgnoreRhosts
#IgnoreRhosts
# IgnoreRhosts

Might want to lock it in more though so it wouldn't match something like IgnoreRhosts22 or IIgnoreRhosts:

(?i)^#?\ ?w*IgnoreRhosts\b

[uk-bolly]

hi @bordenit

Thank you again for raising this issue. This has now been merged into the devel branch. Aiming to put this into main if all is well in the next couple of weeks.

many thanks again

uk-bolly