test and var improvements

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>

section_5/cis_5.1/cis_5.1.7.yml

@@ -2,19 +2,19 @@
 
 {{ if .Vars.rhel9cis_level_1 }}
   {{ if .Vars.rhel9cis_rule_5_1_7 }}
-    {{ if .Vars.rhel9cis_sshd_limited }}
 command:
   sshd_access_limited:
     title: 5.1.7 | Ensure SSH access is limited | config
-    exec: grep -E "^(Allow|Deny)(User|Group)" {{ .Vars.rhel9_cis_sshd_config_file }}
+    exec: grep -Ei "^(Allow|Deny)(Users|Groups)" /etc/ssh/sshd_config /etc/ssh/sshd_config.d/*.conf
     exit-status:
       or:
       - 0
       - 1
     stdout:
-    {{ range .Vars.rhel9cis_sshd_access }}
-    - {{ . }}
-    {{ end }}
+    - allowusers: {{ .Vars.rhel9cis_sshd_allowusers }}
+    - allowgroups: {{ .Vars.rhel9cis_sshd_allowgroups }}
+    - denyusers: {{ .Vars.rhel9cis_sshd_denyusers }}
+    - denygroups: {{ .Vars.rhel9cis_sshd_denygroups }}
     meta:
       server: 1
       workstation: 1
@@ -27,6 +27,5 @@ command:
       NIST800-53R5:
       - AC-3
       - MP-2
-    {{ end }}
   {{ end }}
 {{ end }}

section_5/cis_5.3.2/cis_5.3.2.1.yml

@@ -6,7 +6,7 @@
 file:
   passwd_auth_authselect_modules:
     title: 5.3.2.1 | Ensure active authselect profile includes pam modules
-    path: /etc/authselect/custom/{{ .Var.rhel9cis_authselect.custom_profile_name }}/password-auth
+    path: /etc/authselect/custom/{{ .Vars.rhel9cis_authselect_custom_profile_name }}/password-auth
     exists: true
     contents:
     - 'auth required pam_faillock.so preauth silent {include if "with-faillock"}'
@@ -30,7 +30,7 @@ file:
       NIST800-53R5: NA
   system_auth_authselect_modules:
     title: 5.3.2.1 | Ensure active authselect profile includes pam modules
-    path: /etc/authselect/custom/{{ .Var.rhel9cis_authselect.custom_profile_name }}/password-auth
+    path: /etc/authselect/custom/{{ .Vars.rhel9cis_authselect_custom_profile_name }}/system-auth
     exists: true
     contents:
     - 'auth required pam_faillock.so preauth silent {include if "with-faillock"}'

section_5/cis_5.3.3.2/cis_5.3.3.2.3.yml

@@ -11,12 +11,12 @@ command:
       - 0
       - 1
     stdout:
-    {{ if eq .Vars.rhel9cis_password_complex_option "minclass" }}
+    {{ if eq .Vars.rhel9cis_passwd_complex_option "minclass" }}
       - '/.*\:minclass\s*=\s*([4-9]|[1-9][0-9])/'
       - '!/.*\:minclass\s*=\s*[0-3]/'
       - '!/.*\:(d|l|o|u)credit/'
     {{ end }}
-    {{ if eq .Vars.rhel9cis_password_complex_option "credits" }}
+    {{ if eq .Vars.rhel9cis_passwd_complex_option "credits" }}
       - '/.*\:dcredit\s*=\s*-\d/'
       - '/.*\:lcredit\s*=\s*-\d/'
       - '/.*\:ocredit\s*=\s*-\d/'

section_5/cis_5.4.1/cis_5.4.1.1.yml

@@ -8,7 +8,7 @@ command:
     exec: grep PASS_MAX_DAYS /etc/login.defs
     exit-status: 0
     stdout:
-    - '/^PASS_MAX_DAYS\s+{{ .Vars.rhel9cis_pass.max_days }}/'
+    - '/^PASS_MAX_DAYS\s+{{ .Vars.rhel9cis_pass_max_days }}/'
     - '!/^PASS_MAX_DAYS\s+(36[6-9]|[4-9][0-9][0-9]|[1-9][0-9][0-9][0-9]|[1-9][0-9][0-9][0-9][0-9])/'
     - '!/^PASS_MAX_DAYS\s+-1/'
     meta:

section_5/cis_5.4.1/cis_5.4.1.3.yml

@@ -8,7 +8,7 @@ file:
     path: /etc/login.defs
     exists: true
     contents:
-    - '/^PASS_WARN_AGE\s+{{ .Vars.rhel9cis_pass.warn_age }}$/'
+    - '/^PASS_WARN_AGE\s+{{ .Vars.rhel9cis_pass_warn_age }}$/'
     - '/^PASS_WARN_AGE\s+(7|[1-9][0-9]{1,3})$/'
     - '!/^PASS_WARN_AGE\s+[1-6]$/'
     meta: