Merge pull request #9490 from ggbecker/fix-umask-regex

Improve ansible remediation of accounts_umask_etc_login_defs

linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml

@@ -11,16 +11,27 @@
 {{% set etc_bash_rc = "/etc/bashrc" %}}
 {{% endif %}}
 
-- name: Replace user umask in {{{ etc_bash_rc }}}
-  replace:
+- name: Check if umask in {{{ etc_bash_rc }}} is already set
+  ansible.builtin.lineinfile:
     path: {{{ etc_bash_rc }}}
-    regexp: "umask.*"
-    replace: "umask {{ var_accounts_user_umask }}"
+    regexp: ^(\s*)umask\s+.*
+    state: absent
+  check_mode: true
+  changed_when: false
   register: umask_replace
 
-- name: Append user umask in {{{ etc_bash_rc }}}
-  lineinfile:
-    create: yes
+- name: Replace user umask in {{{ etc_bash_rc }}}
+  ansible.builtin.replace:
+    path: {{{ etc_bash_rc }}}
+    regexp: ^(\s*)umask(\s+).*
+    replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
+  when:
+  - umask_replace.found > 0
+
+- name: Ensure the Default umask is Appended Correctly
+  ansible.builtin.lineinfile:
+    create: true
     path: {{{ etc_bash_rc }}}
-    line: "umask {{ var_accounts_user_umask }}"
-  when: umask_replace is not changed
+    line: umask {{ var_accounts_user_umask }}
+  when:
+  - umask_replace.found == 0

linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml

@@ -5,16 +5,27 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
 
-- name: Replace user umask in /etc/csh.cshrc
-  replace:
+- name: Check if umask in /etc/csh.cshrc is already set
+  ansible.builtin.lineinfile:
     path: /etc/csh.cshrc
-    regexp: "umask.*"
-    replace: "umask {{ var_accounts_user_umask }}"
+    regexp: ^(\s*)umask\s+.*
+    state: absent
+  check_mode: true
+  changed_when: false
   register: umask_replace
 
-- name: Append user umask in /etc/csh.cshrc
-  lineinfile:
-    create: yes
+- name: Replace user umask in /etc/csh.cshrc
+  ansible.builtin.replace:
+    path: /etc/csh.cshrc
+    regexp: ^(\s*)umask(\s+).*
+    replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
+  when:
+  - umask_replace.found > 0
+
+- name: Ensure the Default umask is Appended Correctly
+  ansible.builtin.lineinfile:
+    create: true
     path: /etc/csh.cshrc
-    line: "umask {{ var_accounts_user_umask }}"
-  when: umask_replace is not changed
+    line: umask {{ var_accounts_user_umask }}
+  when:
+  - umask_replace.found == 0

linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml

@@ -5,16 +5,27 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
 
-- name: Ensure the Default UMASK is Set Correctly
-  replace:
+- name: Check if UMASK is already set
+  ansible.builtin.lineinfile:
     path: /etc/login.defs
-    regexp: "^UMASK"
-    replace: "UMASK {{ var_accounts_user_umask }}"
-  register: umask_replace
+    regexp: ^(\s*)UMASK\s+.*
+    state: absent
+  check_mode: true
+  changed_when: false
+  register: result_umask_is_set
+
+- name: Replace user UMASK in /etc/login.defs
+  ansible.builtin.replace:
+    path: /etc/login.defs
+    regexp: ^(\s*)UMASK(\s+).*
+    replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
+  when:
+  - result_umask_is_set.found > 0
 
 - name: Ensure the Default UMASK is Appended Correctly
-  lineinfile:
-    create: yes
+  ansible.builtin.lineinfile:
+    create: true
     path: /etc/login.defs
-    line: "UMASK {{ var_accounts_user_umask }}"
-  when: umask_replace is not changed
+    line: UMASK {{ var_accounts_user_umask }}
+  when:
+  - result_umask_is_set.found == 0

tests/ssg_test_suite/oscap.py

@@ -159,7 +159,7 @@ def run_stage_remediation_ansible(run_type, test_env, formatting, verbose_path):
                            '/' + formatting['output_file']):
         return False
     command = (
-        'ansible-playbook', '-v', '-i', '{0},'.format(formatting['domain_ip']),
+        'ansible-playbook', '-vvv', '-i', '{0},'.format(formatting['domain_ip']),
         '-u' 'root', '--ssh-common-args={0}'.format(' '.join(test_env.ssh_additional_options)),
         formatting['playbook'])
     command_string = ' '.join(command)