Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve ansible remediation of accounts_umask_etc_login_defs #9490

Merged
merged 5 commits into from
Sep 22, 2022
Merged

Improve ansible remediation of accounts_umask_etc_login_defs #9490

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
be2a4c8
Improve ansible remediation of accounts_umask_etc_login_defs.
ggbecker Sep 7, 2022
b8640cd
Remove unnecessary negative lookahead from regex.
ggbecker Sep 8, 2022
bc99431
Use fully qualified name for ansible module.
ggbecker Sep 8, 2022
9e6b564
Make the ansible remediation of accounts_umask_etc_login_defs simpler.
ggbecker Sep 15, 2022
b2b2a8d
Update ansible remediation of two umask rules.
ggbecker Sep 15, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 20 additions & 9 deletions .../system/accounts/accounts-session/user_umask/accounts_umask_etc_bashrc/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,16 +11,27 @@
{{% set etc_bash_rc = "/etc/bashrc" %}}
{{% endif %}}

- name: Replace user umask in {{{ etc_bash_rc }}}
replace:
- name: Check if umask in {{{ etc_bash_rc }}} is already set
ansible.builtin.lineinfile:
path: {{{ etc_bash_rc }}}
regexp: "umask.*"
replace: "umask {{ var_accounts_user_umask }}"
regexp: ^(\s*)umask\s+.*
state: absent
check_mode: true
changed_when: false
register: umask_replace

- name: Append user umask in {{{ etc_bash_rc }}}
lineinfile:
create: yes
- name: Replace user umask in {{{ etc_bash_rc }}}
ansible.builtin.replace:
path: {{{ etc_bash_rc }}}
regexp: ^(\s*)umask(\s+).*
replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
when:
- umask_replace.found > 0

- name: Ensure the Default umask is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: {{{ etc_bash_rc }}}
line: "umask {{ var_accounts_user_umask }}"
when: umask_replace is not changed
line: umask {{ var_accounts_user_umask }}
when:
- umask_replace.found == 0
29 changes: 20 additions & 9 deletions ...stem/accounts/accounts-session/user_umask/accounts_umask_etc_csh_cshrc/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,27 @@
# disruption = low
{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}

- name: Replace user umask in /etc/csh.cshrc
replace:
- name: Check if umask in /etc/csh.cshrc is already set
ansible.builtin.lineinfile:
path: /etc/csh.cshrc
regexp: "umask.*"
replace: "umask {{ var_accounts_user_umask }}"
regexp: ^(\s*)umask\s+.*
state: absent
check_mode: true
changed_when: false
register: umask_replace

- name: Append user umask in /etc/csh.cshrc
lineinfile:
create: yes
- name: Replace user umask in /etc/csh.cshrc
ansible.builtin.replace:
path: /etc/csh.cshrc
regexp: ^(\s*)umask(\s+).*
replace: \g<1>umask\g<2>{{ var_accounts_user_umask }}
when:
- umask_replace.found > 0

- name: Ensure the Default umask is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/csh.cshrc
line: "umask {{ var_accounts_user_umask }}"
when: umask_replace is not changed
line: umask {{ var_accounts_user_umask }}
when:
- umask_replace.found == 0
29 changes: 20 additions & 9 deletions ...tem/accounts/accounts-session/user_umask/accounts_umask_etc_login_defs/ansible/shared.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,16 +5,27 @@
# disruption = low
{{{ ansible_instantiate_variables("var_accounts_user_umask") }}}

- name: Ensure the Default UMASK is Set Correctly
replace:
- name: Check if UMASK is already set
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: "^UMASK"
replace: "UMASK {{ var_accounts_user_umask }}"
register: umask_replace
regexp: ^(\s*)UMASK\s+.*
state: absent
check_mode: true
changed_when: false
register: result_umask_is_set

- name: Replace user UMASK in /etc/login.defs
marcusburghardt marked this conversation as resolved.
Show resolved Hide resolved
ansible.builtin.replace:
path: /etc/login.defs
regexp: ^(\s*)UMASK(\s+).*
replace: \g<1>UMASK\g<2>{{ var_accounts_user_umask }}
when:
- result_umask_is_set.found > 0

- name: Ensure the Default UMASK is Appended Correctly
lineinfile:
create: yes
ansible.builtin.lineinfile:
create: true
path: /etc/login.defs
line: "UMASK {{ var_accounts_user_umask }}"
when: umask_replace is not changed
line: UMASK {{ var_accounts_user_umask }}
when:
- result_umask_is_set.found == 0
2 changes: 1 addition & 1 deletion tests/ssg_test_suite/oscap.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -159,7 +159,7 @@ def run_stage_remediation_ansible(run_type, test_env, formatting, verbose_path):
'/' + formatting['output_file']):
return False
command = (
'ansible-playbook', '-v', '-i', '{0},'.format(formatting['domain_ip']),
'ansible-playbook', '-vvv', '-i', '{0},'.format(formatting['domain_ip']),
'-u' 'root', '--ssh-common-args={0}'.format(' '.join(test_env.ssh_additional_options)),
formatting['playbook'])
command_string = ' '.join(command)
Expand Down