From e13fa3b4e8081941273bba82b471e04eab29094a Mon Sep 17 00:00:00 2001
From: Gabriel Becker <ggasparb@redhat.com>
Date: Wed, 7 Sep 2022 18:55:17 +0200
Subject: [PATCH] Improve ansible remediation of accounts_umask_etc_login_defs.

---
 .../ansible/shared.yml                        | 31 +++++++++++++++----
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
index ea0edc6f80d5..2863da902c60 100644
--- a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
@@ -5,16 +5,35 @@
 # disruption = low
 {{{ ansible_instantiate_variables("var_accounts_user_umask") }}}
 
-- name: Ensure the Default UMASK is Set Correctly
-  replace:
+- name: Check if UMASK is already set
+  ansible.builtin.lineinfile:
     path: /etc/login.defs
-    regexp: "^UMASK"
-    replace: "UMASK {{ var_accounts_user_umask }}"
-  register: umask_replace
+    regexp: ^(?!#)(\s*)UMASK\s+.*
+    state: absent
+  check_mode: yes
+  changed_when: false
+  register: result_umask_is_set
+
+- name: Check if UMASK is already correctly set
+  ansible.builtin.lineinfile:
+    path: /etc/login.defs
+    regexp: '^(?!#)(\s*)UMASK\s+{{ var_accounts_user_umask }}\s*$'
+    state: absent
+  check_mode: yes
+  changed_when: false
+  when: result_umask_is_set.found == 1
+  register: result_umask_is_correctly_set
+
+- name: Replace user UMASK in /etc/login.defs
+  ansible.builtin.replace:
+    path: /etc/login.defs
+    regexp: ^(?!#)(\s*)UMASK(\s+).*
+    replace: '\g<1>UMASK\g<2>{{ var_accounts_user_umask }}'
+  when: result_umask_is_correctly_set is defined and result_umask_is_correctly_set.found == 0
 
 - name: Ensure the Default UMASK is Appended Correctly
   lineinfile:
     create: yes
     path: /etc/login.defs
     line: "UMASK {{ var_accounts_user_umask }}"
-  when: umask_replace is not changed
+  when: result_umask_is_set.found == 0