Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add insensitive option to ansible_lineinfile macro #12314

Conversation

ghost
Copy link

@ghost ghost commented Aug 19, 2024

Description:

  • Add insensitive option to ansible_lineinfile, ansible_only_lineinfile and ansible_set_config_file_dir macros
  • Applies (?i) for case insensitivity on regex if insensitive option is enabled
  • insensitive option is default to false

Rationale:

Review Hints:

Build the product and test

./build_product
cd build
ctest

cd ../tests
./automatus.py ... use related products to test

@openshift-ci openshift-ci bot added do-not-merge/work-in-progress Used by openshift-ci bot. needs-ok-to-test Used by openshift-ci bot. labels Aug 19, 2024
Copy link

openshift-ci bot commented Aug 19, 2024

Hi @yunimoo. Thanks for your PR.

I'm waiting for a ComplianceAsCode member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Copy link

Start a new ephemeral environment with changes proposed in this pull request:

rhel8 (from CTF) Environment (using Fedora as testing environment)
Open in Gitpod

Fedora Testing Environment
Open in Gitpod

Oracle Linux 8 Environment
Open in Gitpod

Copy link

This datastream diff is auto generated by the check Compare DS/Generate Diff.
Due to the excessive size of the diff, it has been trimmed to fit the 65535-character limit.

Click here to see the trimmed diff
ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_ciphers_openssh_conf_crypto_policy
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/crypto-policies/back-ends/openssh.config
       create: true
-      regexp: ^.*Ciphers\s+
+      regexp: (?i)^.*Ciphers\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/crypto-policies/back-ends/openssh.config
       create: true
-      regexp: ^.*Ciphers\s+
+      regexp: (?i)^.*Ciphers\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/crypto-policies/back-ends/openssh.config
       create: true
-      regexp: ^.*Ciphers\s+
+      regexp: (?i)^.*Ciphers\s+
       line: Ciphers {{ sshd_approved_ciphers }}
       state: present
   tags:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy' differs.
--- xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
+++ xccdf_org.ssgproject.content_rule_harden_sshd_macs_openssh_conf_crypto_policy
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/crypto-policies/back-ends/openssh.config
       create: true
-      regexp: ^.*MACs\s+
+      regexp: (?i)^.*MACs\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/crypto-policies/back-ends/openssh.config
       create: true
-      regexp: ^.*MACs\s+
+      regexp: (?i)^.*MACs\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/crypto-policies/back-ends/openssh.config
       create: true
-      regexp: ^.*MACs\s+
+      regexp: (?i)^.*MACs\s+
       line: MACs {{ sshd_approved_macs }}
       state: present
   tags:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_local
@@ -15,6 +15,7 @@
   lineinfile:
     path: /etc/security/pwquality.conf
     create: true
+    regexp: ''
     line: local_users_only
     state: present
   when: '"pam" in ansible_facts.packages'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root' differs.
--- xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
+++ xccdf_org.ssgproject.content_rule_accounts_password_pam_enforce_root
@@ -18,6 +18,7 @@
   lineinfile:
     path: /etc/security/pwquality.conf
     create: true
+    regexp: ''
     line: enforce_for_root
     state: present
   when: '"pam" in ansible_facts.packages'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time' differs.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_after_time
@@ -18,7 +18,7 @@
     lineinfile:
       path: /etc/tmux.conf
       create: true
-      regexp: ^\s*set -g lock-after-time\s+
+      regexp: (?i)^\s*set -g lock-after-time\s+
       mode: '0644'
       state: absent
     check_mode: true
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/tmux.conf
       create: true
-      regexp: ^\s*set -g lock-after-time\s+
+      regexp: (?i)^\s*set -g lock-after-time\s+
       mode: '0644'
       state: absent
     when: dupes.found is defined and dupes.found > 1
@@ -38,7 +38,7 @@
     lineinfile:
       path: /etc/tmux.conf
       create: true
-      regexp: ^\s*set -g lock-after-time\s+
+      regexp: (?i)^\s*set -g lock-after-time\s+
       mode: '0644'
       line: set -g lock-after-time 900
       state: present

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_command' differs.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_command
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/tmux.conf
       create: true
-      regexp: ^\s*set -g lock-command\s+
+      regexp: (?i)^\s*set -g lock-command\s+
       mode: '0644'
       state: absent
     check_mode: true
@@ -32,7 +32,7 @@
     lineinfile:
       path: /etc/tmux.conf
       create: true
-      regexp: ^\s*set -g lock-command\s+
+      regexp: (?i)^\s*set -g lock-command\s+
       mode: '0644'
       state: absent
     when: dupes.found is defined and dupes.found > 1
@@ -41,7 +41,7 @@
     lineinfile:
       path: /etc/tmux.conf
       create: true
-      regexp: ^\s*set -g lock-command\s+
+      regexp: (?i)^\s*set -g lock-command\s+
       mode: '0644'
       line: set -g lock-command vlock
       state: present

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding' differs.
--- xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
+++ xccdf_org.ssgproject.content_rule_configure_tmux_lock_keybinding
@@ -15,7 +15,7 @@
   lineinfile:
     path: /etc/tmux.conf
     create: true
-    regexp: \s*bind\s+\w\s+lock-session.*$
+    regexp: (?i)\s*bind\s+\w\s+lock-session.*$
     mode: '0644'
     state: absent
   check_mode: true
@@ -38,7 +38,7 @@
   lineinfile:
     path: /etc/tmux.conf
     create: true
-    regexp: \s*bind\s+\w\s+lock-session.*$
+    regexp: (?i)\s*bind\s+\w\s+lock-session.*$
     mode: '0644'
     state: absent
   when:
@@ -59,7 +59,7 @@
   lineinfile:
     path: /etc/tmux.conf
     create: true
-    regexp: \s*bind\s+\w\s+lock-session.*$
+    regexp: (?i)\s*bind\s+\w\s+lock-session.*$
     mode: '0644'
     line: bind X lock-session
     state: present

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs' differs.
--- xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
+++ xccdf_org.ssgproject.content_rule_accounts_have_homedir_login_defs
@@ -18,7 +18,7 @@
     lineinfile:
       path: /etc/login.defs
       create: true
-      regexp: ^\s*CREATE_HOME\s+
+      regexp: (?i)^\s*CREATE_HOME\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -28,7 +28,7 @@
     lineinfile:
       path: /etc/login.defs
       create: true
-      regexp: ^\s*CREATE_HOME\s+
+      regexp: (?i)^\s*CREATE_HOME\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -36,7 +36,7 @@
     lineinfile:
       path: /etc/login.defs
       create: true
-      regexp: ^\s*CREATE_HOME\s+
+      regexp: (?i)^\s*CREATE_HOME\s+
       line: CREATE_HOME yes
       state: present
   when: '"shadow-utils" in ansible_facts.packages'

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdriverauthmode
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/rsyslog.conf
       create: false
-      regexp: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
+      regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
       state: absent
 
   - name: Check if /etc/rsyslog.d exists
@@ -26,7 +26,7 @@
     lineinfile:
       path: '{{ item.path }}'
       create: false
-      regexp: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
+      regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
       state: absent
     with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
     when: _etc_rsyslog_d_has_parameter.matched
@@ -35,7 +35,7 @@
     lineinfile:
       path: /etc/rsyslog.conf
       create: true
-      regexp: ^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
+      regexp: (?i)^\s*{{ "$ActionSendStreamDriverAuthMode"| regex_escape }}\s
       line: $ActionSendStreamDriverAuthMode x509/name
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_actionsendstreamdrivermode
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/rsyslog.conf
       create: false
-      regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+      regexp: '(?i)^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
       state: absent
 
   - name: Check if /etc/rsyslog.d exists
@@ -26,7 +26,7 @@
     lineinfile:
       path: '{{ item.path }}'
       create: false
-      regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+      regexp: '(?i)^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
       state: absent
     with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
     when: _etc_rsyslog_d_has_parameter.matched
@@ -35,7 +35,7 @@
     lineinfile:
       path: /etc/rsyslog.conf
       create: true
-      regexp: '^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
+      regexp: '(?i)^\s*{{ "$ActionSendStreamDriverMode"| regex_escape }} '
       line: $ActionSendStreamDriverMode 1
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver' differs.
--- xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
+++ xccdf_org.ssgproject.content_rule_rsyslog_encrypt_offload_defaultnetstreamdriver
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/rsyslog.conf
       create: false
-      regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+      regexp: '(?i)^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
       state: absent
 
   - name: Check if /etc/rsyslog.d exists
@@ -26,7 +26,7 @@
     lineinfile:
       path: '{{ item.path }}'
       create: false
-      regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+      regexp: '(?i)^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
       state: absent
     with_items: '{{ _etc_rsyslog_d_has_parameter.files }}'
     when: _etc_rsyslog_d_has_parameter.matched
@@ -35,7 +35,7 @@
     lineinfile:
       path: /etc/rsyslog.conf
       create: true
-      regexp: '^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
+      regexp: '(?i)^\s*{{ "$DefaultNetstreamDriver"| regex_escape }} '
       line: $DefaultNetstreamDriver gtls
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_firewalld-backend' differs.
--- xccdf_org.ssgproject.content_rule_firewalld-backend
+++ xccdf_org.ssgproject.content_rule_firewalld-backend
@@ -20,7 +20,7 @@
     lineinfile:
       path: /etc/firewalld/firewalld.conf
       create: true
-      regexp: ^\s*FirewallBackend=
+      regexp: (?i)^\s*FirewallBackend=
       state: absent
     check_mode: true
     changed_when: false
@@ -30,7 +30,7 @@
     lineinfile:
       path: /etc/firewalld/firewalld.conf
       create: true
-      regexp: ^\s*FirewallBackend=
+      regexp: (?i)^\s*FirewallBackend=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -38,7 +38,7 @@
     lineinfile:
       path: /etc/firewalld/firewalld.conf
       create: true
-      regexp: ^\s*FirewallBackend=
+      regexp: (?i)^\s*FirewallBackend=
       line: FirewallBackend=nftables
       state: present
       insertbefore: ^# FirewallBackend

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_not_disabled' differs.
--- xccdf_org.ssgproject.content_rule_selinux_not_disabled
+++ xccdf_org.ssgproject.content_rule_selinux_not_disabled
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUX=
+      regexp: (?i)^SELINUX=
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUX=
+      regexp: (?i)^SELINUX=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUX=
+      regexp: (?i)^SELINUX=
       line: SELINUX=permissive
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_policytype' differs.
--- xccdf_org.ssgproject.content_rule_selinux_policytype
+++ xccdf_org.ssgproject.content_rule_selinux_policytype
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUXTYPE=
+      regexp: (?i)^SELINUXTYPE=
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUXTYPE=
+      regexp: (?i)^SELINUXTYPE=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUXTYPE=
+      regexp: (?i)^SELINUXTYPE=
       line: SELINUXTYPE={{ var_selinux_policy_name }}
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_selinux_state' differs.
--- xccdf_org.ssgproject.content_rule_selinux_state
+++ xccdf_org.ssgproject.content_rule_selinux_state
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUX=
+      regexp: (?i)^SELINUX=
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUX=
+      regexp: (?i)^SELINUX=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/selinux/config
       create: true
-      regexp: ^SELINUX=
+      regexp: (?i)^SELINUX=
       line: SELINUX={{ var_selinux_state }}
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster' differs.
--- xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
+++ xccdf_org.ssgproject.content_rule_postfix_client_configure_mail_alias_postmaster
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/aliases
       create: true
-      regexp: ^\s*postmaster\s*:\s*
+      regexp: (?i)^\s*postmaster\s*:\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/aliases
       create: true
-      regexp: ^\s*postmaster\s*:\s*
+      regexp: (?i)^\s*postmaster\s*:\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/aliases
       create: true
-      regexp: ^\s*postmaster\s*:\s*
+      regexp: (?i)^\s*postmaster\s*:\s*
       line: 'postmaster: root'
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' differs.
--- xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
+++ xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
@@ -27,7 +27,7 @@
   lineinfile:
     path: /etc/postfix/main.cf
     create: false
-    regexp: ^inet_interfaces\s*=\s.*
+    regexp: (?i)^inet_interfaces\s*=\s.*
     line: inet_interfaces = {{ var_postfix_inet_interfaces }}
     state: present
     insertafter: ^inet_interfaces\s*=\s.*

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay' differs.
--- xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
+++ xccdf_org.ssgproject.content_rule_postfix_prevent_unrestricted_relay
@@ -18,7 +18,7 @@
     lineinfile:
       path: /etc/postfix/main.cf
       create: true
-      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
+      regexp: (?i)^[ \t]*smtpd_client_restrictions\s*=\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -28,7 +28,7 @@
     lineinfile:
       path: /etc/postfix/main.cf
       create: true
-      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
+      regexp: (?i)^[ \t]*smtpd_client_restrictions\s*=\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -36,7 +36,7 @@
     lineinfile:
       path: /etc/postfix/main.cf
       create: true
-      regexp: ^[ \t]*smtpd_client_restrictions\s*=\s*
+      regexp: (?i)^[ \t]*smtpd_client_restrictions\s*=\s*
       line: smtpd_client_restrictions = permit_mynetworks,reject
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_client_only' differs.
--- xccdf_org.ssgproject.content_rule_chronyd_client_only
+++ xccdf_org.ssgproject.content_rule_chronyd_client_only
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/chrony.conf
       create: true
-      regexp: ^\s*port\s+
+      regexp: (?i)^\s*port\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/chrony.conf
       create: true
-      regexp: ^\s*port\s+
+      regexp: (?i)^\s*port\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/chrony.conf
       create: true
-      regexp: ^\s*port\s+
+      regexp: (?i)^\s*port\s+
       line: port 0
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network' differs.
--- xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
+++ xccdf_org.ssgproject.content_rule_chronyd_no_chronyc_network
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/chrony.conf
       create: true
-      regexp: ^\s*cmdport\s+
+      regexp: (?i)^\s*cmdport\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/chrony.conf
       create: true
-      regexp: ^\s*cmdport\s+
+      regexp: (?i)^\s*cmdport\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/chrony.conf
       create: true
-      regexp: ^\s*cmdport\s+
+      regexp: (?i)^\s*cmdport\s+
       line: cmdport 0
       state: present
   when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive_0
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveCountMax\s+
+      regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveCountMax\s+
+      regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveCountMax\s+
+      regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
       line: ClientAliveCountMax 0
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_keepalive' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_keepalive
+++ xccdf_org.ssgproject.content_rule_sshd_set_keepalive
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveCountMax\s+
+      regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveCountMax\s+
+      regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveCountMax\s+
+      regexp: (?i)(?i)^\s*ClientAliveCountMax\s+
       line: ClientAliveCountMax {{ var_sshd_set_keepalive }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
+++ xccdf_org.ssgproject.content_rule_sshd_set_idle_timeout
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveInterval\s+
+      regexp: (?i)(?i)^\s*ClientAliveInterval\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveInterval\s+
+      regexp: (?i)(?i)^\s*ClientAliveInterval\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*ClientAliveInterval\s+
+      regexp: (?i)(?i)^\s*ClientAliveInterval\s+
       line: ClientAliveInterval {{ sshd_idle_timeout_value }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_disable_host_auth' differs.
--- xccdf_org.ssgproject.content_rule_disable_host_auth
+++ xccdf_org.ssgproject.content_rule_disable_host_auth
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*HostbasedAuthentication\s+
+      regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*HostbasedAuthentication\s+
+      regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*HostbasedAuthentication\s+
+      regexp: (?i)(?i)^\s*HostbasedAuthentication\s+
       line: HostbasedAuthentication no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2' differs.
--- xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
+++ xccdf_org.ssgproject.content_rule_sshd_allow_only_protocol2
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Protocol\s+
+      regexp: (?i)(?i)^\s*Protocol\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Protocol\s+
+      regexp: (?i)(?i)^\s*Protocol\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Protocol\s+
+      regexp: (?i)(?i)^\s*Protocol\s+
       line: Protocol 2
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_compression' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_compression
+++ xccdf_org.ssgproject.content_rule_sshd_disable_compression
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Compression\s+
+      regexp: (?i)(?i)^\s*Compression\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Compression\s+
+      regexp: (?i)(?i)^\s*Compression\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Compression\s+
+      regexp: (?i)(?i)^\s*Compression\s+
       line: Compression {{ var_sshd_disable_compression }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
+++ xccdf_org.ssgproject.content_rule_sshd_disable_empty_passwords
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitEmptyPasswords\s+
+      regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitEmptyPasswords\s+
+      regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitEmptyPasswords\s+
+      regexp: (?i)(?i)^\s*PermitEmptyPasswords\s+
       line: PermitEmptyPasswords no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_gssapi_auth
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*GSSAPIAuthentication\s+
+      regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*GSSAPIAuthentication\s+
+      regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*GSSAPIAuthentication\s+
+      regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
       line: GSSAPIAuthentication no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_kerb_auth
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*KerberosAuthentication\s+
+      regexp: (?i)(?i)^\s*KerberosAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*KerberosAuthentication\s+
+      regexp: (?i)(?i)^\s*KerberosAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*KerberosAuthentication\s+
+      regexp: (?i)(?i)^\s*KerberosAuthentication\s+
       line: KerberosAuthentication no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_disable_pubkey_auth
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PubkeyAuthentication\s+
+      regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PubkeyAuthentication\s+
+      regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PubkeyAuthentication\s+
+      regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
       line: PubkeyAuthentication no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*IgnoreRhosts\s+
+      regexp: (?i)(?i)^\s*IgnoreRhosts\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*IgnoreRhosts\s+
+      regexp: (?i)(?i)^\s*IgnoreRhosts\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*IgnoreRhosts\s+
+      regexp: (?i)(?i)^\s*IgnoreRhosts\s+
       line: IgnoreRhosts yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
+++ xccdf_org.ssgproject.content_rule_sshd_disable_rhosts_rsa
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*RhostsRSAAuthentication\s+
+      regexp: (?i)(?i)^\s*RhostsRSAAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*RhostsRSAAuthentication\s+
+      regexp: (?i)(?i)^\s*RhostsRSAAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*RhostsRSAAuthentication\s+
+      regexp: (?i)(?i)^\s*RhostsRSAAuthentication\s+
       line: RhostsRSAAuthentication no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_login
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitRootLogin\s+
+      regexp: (?i)(?i)^\s*PermitRootLogin\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitRootLogin\s+
+      regexp: (?i)(?i)^\s*PermitRootLogin\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitRootLogin\s+
+      regexp: (?i)(?i)^\s*PermitRootLogin\s+
       line: PermitRootLogin no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
+++ xccdf_org.ssgproject.content_rule_sshd_disable_root_password_login
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitRootLogin\s+
+      regexp: (?i)(?i)^\s*PermitRootLogin\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitRootLogin\s+
+      regexp: (?i)(?i)^\s*PermitRootLogin\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitRootLogin\s+
+      regexp: (?i)(?i)^\s*PermitRootLogin\s+
       line: PermitRootLogin prohibit-password
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_tcp_forwarding
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*AllowTcpForwarding\s+
+      regexp: (?i)(?i)^\s*AllowTcpForwarding\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*AllowTcpForwarding\s+
+      regexp: (?i)(?i)^\s*AllowTcpForwarding\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*AllowTcpForwarding\s+
+      regexp: (?i)(?i)^\s*AllowTcpForwarding\s+
       line: AllowTcpForwarding no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
+++ xccdf_org.ssgproject.content_rule_sshd_disable_user_known_hosts
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+      regexp: (?i)(?i)^\s*IgnoreUserKnownHosts\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+      regexp: (?i)(?i)^\s*IgnoreUserKnownHosts\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*IgnoreUserKnownHosts\s+
+      regexp: (?i)(?i)^\s*IgnoreUserKnownHosts\s+
       line: IgnoreUserKnownHosts yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_disable_x11_forwarding
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11Forwarding\s+
+      regexp: (?i)(?i)^\s*X11Forwarding\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11Forwarding\s+
+      regexp: (?i)(?i)^\s*X11Forwarding\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11Forwarding\s+
+      regexp: (?i)(?i)^\s*X11Forwarding\s+
       line: X11Forwarding no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env' differs.
--- xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
+++ xccdf_org.ssgproject.content_rule_sshd_do_not_permit_user_env
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitUserEnvironment\s+
+      regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitUserEnvironment\s+
+      regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PermitUserEnvironment\s+
+      regexp: (?i)(?i)^\s*PermitUserEnvironment\s+
       line: PermitUserEnvironment no
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_gssapi_auth
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*GSSAPIAuthentication\s+
+      regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*GSSAPIAuthentication\s+
+      regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*GSSAPIAuthentication\s+
+      regexp: (?i)(?i)^\s*GSSAPIAuthentication\s+
       line: GSSAPIAuthentication yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pam' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pam
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pam
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*UsePAM\s+
+      regexp: (?i)(?i)^\s*UsePAM\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*UsePAM\s+
+      regexp: (?i)(?i)^\s*UsePAM\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*UsePAM\s+
+      regexp: (?i)(?i)^\s*UsePAM\s+
       line: UsePAM yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
+++ xccdf_org.ssgproject.content_rule_sshd_enable_pubkey_auth
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PubkeyAuthentication\s+
+      regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PubkeyAuthentication\s+
+      regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PubkeyAuthentication\s+
+      regexp: (?i)(?i)^\s*PubkeyAuthentication\s+
       line: PubkeyAuthentication yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
+++ xccdf_org.ssgproject.content_rule_sshd_enable_strictmodes
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*StrictModes\s+
+      regexp: (?i)(?i)^\s*StrictModes\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*StrictModes\s+
+      regexp: (?i)(?i)^\s*StrictModes\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*StrictModes\s+
+      regexp: (?i)(?i)^\s*StrictModes\s+
       line: StrictModes yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Banner\s+
+      regexp: (?i)(?i)^\s*Banner\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Banner\s+
+      regexp: (?i)(?i)^\s*Banner\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Banner\s+
+      regexp: (?i)(?i)^\s*Banner\s+
       line: Banner /etc/issue
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
+++ xccdf_org.ssgproject.content_rule_sshd_enable_warning_banner_net
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Banner\s+
+      regexp: (?i)(?i)^\s*Banner\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Banner\s+
+      regexp: (?i)(?i)^\s*Banner\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Banner\s+
+      regexp: (?i)(?i)^\s*Banner\s+
       line: Banner /etc/issue.net
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding' differs.
--- xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
+++ xccdf_org.ssgproject.content_rule_sshd_enable_x11_forwarding
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11Forwarding\s+
+      regexp: (?i)(?i)^\s*X11Forwarding\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11Forwarding\s+
+      regexp: (?i)(?i)^\s*X11Forwarding\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11Forwarding\s+
+      regexp: (?i)(?i)^\s*X11Forwarding\s+
       line: X11Forwarding yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_print_last_log' differs.
--- xccdf_org.ssgproject.content_rule_sshd_print_last_log
+++ xccdf_org.ssgproject.content_rule_sshd_print_last_log
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PrintLastLog\s+
+      regexp: (?i)(?i)^\s*PrintLastLog\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PrintLastLog\s+
+      regexp: (?i)(?i)^\s*PrintLastLog\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*PrintLastLog\s+
+      regexp: (?i)(?i)^\s*PrintLastLog\s+
       line: PrintLastLog yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_rekey_limit' differs.
--- xccdf_org.ssgproject.content_rule_sshd_rekey_limit
+++ xccdf_org.ssgproject.content_rule_sshd_rekey_limit
@@ -16,7 +16,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*RekeyLimit\s+
+      regexp: (?i)(?i)^\s*RekeyLimit\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -26,7 +26,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*RekeyLimit\s+
+      regexp: (?i)(?i)^\s*RekeyLimit\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -34,7 +34,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*RekeyLimit\s+
+      regexp: (?i)(?i)^\s*RekeyLimit\s+
       line: RekeyLimit {{ var_rekey_limit_size }} {{ var_rekey_limit_time }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
+++ xccdf_org.ssgproject.content_rule_sshd_set_login_grace_time
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LoginGraceTime\s+
+      regexp: (?i)(?i)^\s*LoginGraceTime\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LoginGraceTime\s+
+      regexp: (?i)(?i)^\s*LoginGraceTime\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LoginGraceTime\s+
+      regexp: (?i)(?i)^\s*LoginGraceTime\s+
       line: LoginGraceTime {{ var_sshd_set_login_grace_time }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_info
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LogLevel\s+
+      regexp: (?i)(?i)^\s*LogLevel\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LogLevel\s+
+      regexp: (?i)(?i)^\s*LogLevel\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LogLevel\s+
+      regexp: (?i)(?i)^\s*LogLevel\s+
       line: LogLevel INFO
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
+++ xccdf_org.ssgproject.content_rule_sshd_set_loglevel_verbose
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LogLevel\s+
+      regexp: (?i)(?i)^\s*LogLevel\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LogLevel\s+
+      regexp: (?i)(?i)^\s*LogLevel\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*LogLevel\s+
+      regexp: (?i)(?i)^\s*LogLevel\s+
       line: LogLevel VERBOSE
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_auth_tries
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxAuthTries\s+
+      regexp: (?i)(?i)^\s*MaxAuthTries\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxAuthTries\s+
+      regexp: (?i)(?i)^\s*MaxAuthTries\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxAuthTries\s+
+      regexp: (?i)(?i)^\s*MaxAuthTries\s+
       line: MaxAuthTries {{ sshd_max_auth_tries_value }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_max_sessions' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
+++ xccdf_org.ssgproject.content_rule_sshd_set_max_sessions
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxSessions\s+
+      regexp: (?i)(?i)^\s*MaxSessions\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxSessions\s+
+      regexp: (?i)(?i)^\s*MaxSessions\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxSessions\s+
+      regexp: (?i)(?i)^\s*MaxSessions\s+
       line: MaxSessions {{ var_sshd_max_sessions }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_set_maxstartups' differs.
--- xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
+++ xccdf_org.ssgproject.content_rule_sshd_set_maxstartups
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxStartups\s+
+      regexp: (?i)(?i)^\s*MaxStartups\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxStartups\s+
+      regexp: (?i)(?i)^\s*MaxStartups\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MaxStartups\s+
+      regexp: (?i)(?i)^\s*MaxStartups\s+
       line: MaxStartups {{ var_sshd_set_maxstartups }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
+++ xccdf_org.ssgproject.content_rule_sshd_use_approved_ciphers
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Ciphers\s+
+      regexp: (?i)(?i)^\s*Ciphers\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Ciphers\s+
+      regexp: (?i)(?i)^\s*Ciphers\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*Ciphers\s+
+      regexp: (?i)(?i)^\s*Ciphers\s+
       line: Ciphers {{ sshd_approved_ciphers }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_priv_separation' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
+++ xccdf_org.ssgproject.content_rule_sshd_use_priv_separation
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*UsePrivilegeSeparation\s+
+      regexp: (?i)(?i)^\s*UsePrivilegeSeparation\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*UsePrivilegeSeparation\s+
+      regexp: (?i)(?i)^\s*UsePrivilegeSeparation\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*UsePrivilegeSeparation\s+
+      regexp: (?i)(?i)^\s*UsePrivilegeSeparation\s+
       line: UsePrivilegeSeparation {{ var_sshd_priv_separation }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_kex' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_kex
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*KexAlgorithms\s+
+      regexp: (?i)(?i)^\s*KexAlgorithms\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*KexAlgorithms\s+
+      regexp: (?i)(?i)^\s*KexAlgorithms\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*KexAlgorithms\s+
+      regexp: (?i)(?i)^\s*KexAlgorithms\s+
       line: KexAlgorithms {{ sshd_strong_kex }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_macs' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_macs
@@ -11,7 +11,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MACs\s+
+      regexp: (?i)(?i)^\s*MACs\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MACs\s+
+      regexp: (?i)(?i)^\s*MACs\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*MACs\s+
+      regexp: (?i)(?i)^\s*MACs\s+
       line: MACs {{ sshd_strong_macs }}
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_use_strong_rng' differs.
--- xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
+++ xccdf_org.ssgproject.content_rule_sshd_use_strong_rng
@@ -6,7 +6,7 @@
     lineinfile:
       path: /etc/sysconfig/sshd
       create: true
-      regexp: ^\s*SSH_USE_STRONG_RNG=
+      regexp: (?i)^\s*SSH_USE_STRONG_RNG=
       state: absent
     check_mode: true
     changed_when: false
@@ -16,7 +16,7 @@
     lineinfile:
       path: /etc/sysconfig/sshd
       create: true
-      regexp: ^\s*SSH_USE_STRONG_RNG=
+      regexp: (?i)^\s*SSH_USE_STRONG_RNG=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -24,7 +24,7 @@
     lineinfile:
       path: /etc/sysconfig/sshd
       create: true
-      regexp: ^\s*SSH_USE_STRONG_RNG=
+      regexp: (?i)^\s*SSH_USE_STRONG_RNG=
       line: SSH_USE_STRONG_RNG=32
       state: present
       insertbefore: ^# SSH_USE_STRONG_RNG

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost' differs.
--- xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
+++ xccdf_org.ssgproject.content_rule_sshd_x11_use_localhost
@@ -5,7 +5,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11UseLocalhost\s+
+      regexp: (?i)(?i)^\s*X11UseLocalhost\s+
       state: absent
     check_mode: true
     changed_when: false
@@ -15,7 +15,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11UseLocalhost\s+
+      regexp: (?i)(?i)^\s*X11UseLocalhost\s+
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -23,7 +23,7 @@
     lineinfile:
       path: /etc/ssh/sshd_config
       create: true
-      regexp: (?i)^\s*X11UseLocalhost\s+
+      regexp: (?i)(?i)^\s*X11UseLocalhost\s+
       line: X11UseLocalhost yes
       state: present
       insertbefore: BOF

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend' differs.
--- xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
+++ xccdf_org.ssgproject.content_rule_configure_usbguard_auditbackend
@@ -21,7 +21,7 @@
     lineinfile:
       path: /etc/usbguard/usbguard-daemon.conf
       create: true
-      regexp: ^\s*AuditBackend=
+      regexp: (?i)^\s*AuditBackend=
       state: absent
     check_mode: true
     changed_when: false
@@ -31,7 +31,7 @@
     lineinfile:
       path: /etc/usbguard/usbguard-daemon.conf
       create: true
-      regexp: ^\s*AuditBackend=
+      regexp: (?i)^\s*AuditBackend=
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -39,7 +39,7 @@
     lineinfile:
       path: /etc/usbguard/usbguard-daemon.conf
       create: true
-      regexp: ^\s*AuditBackend=
+      regexp: (?i)^\s*AuditBackend=
       line: AuditBackend=LinuxAudit
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid
@@ -2,6 +2,7 @@
   lineinfile:
     path: /etc/usbguard/rules.conf
     create: true
+    regexp: ''
     line: allow with-interface match-all { 03:*:* }
     state: present
   when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hid_and_hub
@@ -2,6 +2,7 @@
   lineinfile:
     path: /etc/usbguard/rules.conf
     create: true
+    regexp: ''
     line: allow with-interface match-all { 03:*:* 09:00:* }
     state: present
   when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_usbguard_allow_hub' differs.
--- xccdf_org.ssgproject.content_rule_usbguard_allow_hub
+++ xccdf_org.ssgproject.content_rule_usbguard_allow_hub
@@ -2,6 +2,7 @@
   lineinfile:
     path: /etc/usbguard/rules.conf
     create: true
+    regexp: ''
     line: allow with-interface match-all { 09:00:* }
     state: present
   when: ( ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman",

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_freq' differs.
--- xccdf_org.ssgproject.content_rule_auditd_freq
+++ xccdf_org.ssgproject.content_rule_auditd_freq
@@ -18,7 +18,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*freq\s*=\s*
+      regexp: (?i)(?i)^\s*freq\s*=\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -28,7 +28,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*freq\s*=\s*
+      regexp: (?i)(?i)^\s*freq\s*=\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -36,7 +36,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*freq\s*=\s*
+      regexp: (?i)(?i)^\s*freq\s*=\s*
       line: freq = 50
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_local_events' differs.
--- xccdf_org.ssgproject.content_rule_auditd_local_events
+++ xccdf_org.ssgproject.content_rule_auditd_local_events
@@ -19,7 +19,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*local_events\s*=\s*
+      regexp: (?i)(?i)^\s*local_events\s*=\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*local_events\s*=\s*
+      regexp: (?i)(?i)^\s*local_events\s*=\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -37,7 +37,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*local_events\s*=\s*
+      regexp: (?i)(?i)^\s*local_events\s*=\s*
       line: local_events = yes
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_log_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_log_format
+++ xccdf_org.ssgproject.content_rule_auditd_log_format
@@ -20,7 +20,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*log_format\s*=\s*
+      regexp: (?i)(?i)^\s*log_format\s*=\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -30,7 +30,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*log_format\s*=\s*
+      regexp: (?i)(?i)^\s*log_format\s*=\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -38,7 +38,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*log_format\s*=\s*
+      regexp: (?i)(?i)^\s*log_format\s*=\s*
       line: log_format = ENRICHED
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_name_format' differs.
--- xccdf_org.ssgproject.content_rule_auditd_name_format
+++ xccdf_org.ssgproject.content_rule_auditd_name_format
@@ -46,7 +46,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*name_format\s*=\s*
+      regexp: (?i)(?i)^\s*name_format\s*=\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -56,7 +56,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*name_format\s*=\s*
+      regexp: (?i)(?i)^\s*name_format\s*=\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -64,7 +64,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*name_format\s*=\s*
+      regexp: (?i)(?i)^\s*name_format\s*=\s*
       line: name_format = {{ auditd_name_format_split }}
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_overflow_action' differs.
--- xccdf_org.ssgproject.content_rule_auditd_overflow_action
+++ xccdf_org.ssgproject.content_rule_auditd_overflow_action
@@ -19,7 +19,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*overflow_action\s*=\s*
+      regexp: (?i)(?i)^\s*overflow_action\s*=\s*
       state: absent
     check_mode: true
     changed_when: false
@@ -29,7 +29,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*overflow_action\s*=\s*
+      regexp: (?i)(?i)^\s*overflow_action\s*=\s*
       state: absent
     when: dupes.found is defined and dupes.found > 1
 
@@ -37,7 +37,7 @@
     lineinfile:
       path: /etc/audit/auditd.conf
       create: true
-      regexp: (?i)^\s*overflow_action\s*=\s*
+      regexp: (?i)(?i)^\s*overflow_action\s*=\s*
       line: overflow_action = syslog
       state: present
   when:

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_auditd_write_logs' differs.
--- xccdf_org.ssgproject.content_rule_auditd_write_logs
+++ xccdf_org.ssg

... The diff is trimmed here ...

@ghost ghost marked this pull request as ready for review August 21, 2024 00:55
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Used by openshift-ci bot. label Aug 21, 2024
Copy link

🤖 A k8s content image for this PR is available at:
ghcr.io/complianceascode/k8scontent:12314
This image was built from commit: 9ee077e

Click here to see how to deploy it

If you alread have Compliance Operator deployed:
utils/build_ds_container.py -i ghcr.io/complianceascode/k8scontent:12314

Otherwise deploy the content and operator together by checking out ComplianceAsCode/compliance-operator and:
CONTENT_IMAGE=ghcr.io/complianceascode/k8scontent:12314 make deploy-local

Copy link
Collaborator

@jan-cerny jan-cerny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have built the content and I have also tried to use the new option in the ssh_client_rekey_limit rule and I also have executed Ansible test scenarios for this rule.

Copy link

codeclimate bot commented Aug 26, 2024

Code Climate has analyzed commit 9ee077e and detected 0 issues on this pull request.

The test coverage on the diff in this pull request is 100.0% (50% is the threshold).

This pull request will bring the total coverage in the repository to 59.4% (0.0% change).

View more on Code Climate.

@jan-cerny jan-cerny self-assigned this Aug 26, 2024
@jan-cerny jan-cerny added this to the 0.1.75 milestone Aug 26, 2024
@jan-cerny jan-cerny added the Ansible Ansible remediation update. label Aug 26, 2024
@jan-cerny jan-cerny merged commit 2c04ffd into ComplianceAsCode:master Aug 26, 2024
85 of 91 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Ansible Ansible remediation update. needs-ok-to-test Used by openshift-ci bot.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant