From e747039ad8a19ce042577bd4b2cb2a0fa7b7d4ce Mon Sep 17 00:00:00 2001
From: Bas Meijer <bas.meijer@me.com>
Date: Fri, 9 Feb 2024 22:32:09 +0100
Subject: [PATCH 1/2] PermitRootLogin found in
 /etc/ssh/sshd_config.d/01-permitrootlogin.conf

---
 tasks/section_5/cis_5.2.x.yml | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
index 5451cff6..659a11df 100644
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@@ -150,11 +150,18 @@
       - rule_5.2.6
 
 - name: "5.2.7 | PATCH | Ensure SSH root login is disabled"
-  ansible.builtin.lineinfile:
-      path: "{{ rhel9_cis_sshd_config_file }}"
-      regexp: "^#PermitRootLogin|^PermitRootLogin"
-      line: 'PermitRootLogin no'
-      validate: sshd -t -f %s
+  block:
+      - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | config file"
+        ansible.builtin.lineinfile:
+            path: "{{ rhel9_cis_sshd_config_file }}"
+            regexp: "^#PermitRootLogin|^PermitRootLogin"
+            line: 'PermitRootLogin no'
+            validate: sshd -t -f %s
+
+      - name: "5.2.7 | PATCH | Ensure SSH root login is disabled | override file"
+        ansible.builtin.file:
+            path: /etc/ssh/sshd_config.d/01-permitrootlogin.conf
+            state: absent
   when:
       - rhel9cis_rule_5_2_7
   tags:

From f90057c00e3e30a9dfb35e00ecd61a07f1a45b30 Mon Sep 17 00:00:00 2001
From: Bas Meijer <bas.meijer@me.com>
Date: Sat, 10 Feb 2024 00:27:33 +0100
Subject: [PATCH 2/2] X11Forwarding found in
 /etc/ssh/sshd_config.d/50-redhat.conf

---
 tasks/section_5/cis_5.2.x.yml | 20 +++++++++++++++-----
 1 file changed, 15 insertions(+), 5 deletions(-)

diff --git a/tasks/section_5/cis_5.2.x.yml b/tasks/section_5/cis_5.2.x.yml
index 659a11df..7daf6d11 100644
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@@ -232,11 +232,21 @@
       - rule_5.2.11
 
 - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled"
-  ansible.builtin.lineinfile:
-      path: "{{ rhel9_cis_sshd_config_file }}"
-      regexp: "^#X11Forwarding|^X11Forwarding"
-      line: 'X11Forwarding no'
-      validate: sshd -t -f %s
+  block:
+
+      - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | config file"
+        ansible.builtin.lineinfile:
+            path: "{{ rhel9_cis_sshd_config_file }}"
+            regexp: "^#X11Forwarding|^X11Forwarding"
+            line: 'X11Forwarding no'
+            validate: sshd -t -f %s
+
+      - name: "5.2.12 | PATCH | Ensure SSH X11 forwarding is disabled | override"
+        ansible.builtin.lineinfile:
+            path: /etc/ssh/sshd_config.d/50-redhat.conf
+            regexp: "^#X11Forwarding|^X11Forwarding"
+            line: 'X11Forwarding no'
+            validate: sshd -t -f %s
   when:
       - rhel9cis_rule_5_2_12
   tags: