From b40d86c81b2aa275ed4bb3d04bfacc19f53a219b Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 4 Jul 2024 18:12:13 +0200 Subject: [PATCH] update Ansible remediation of the template to be aligned with Bash --- .../ansible.template | 67 +++++++++---------- 1 file changed, 30 insertions(+), 37 deletions(-) diff --git a/shared/templates/systemd_dropin_configuration/ansible.template b/shared/templates/systemd_dropin_configuration/ansible.template index e3b409094669..28b2d284795f 100644 --- a/shared/templates/systemd_dropin_configuration/ansible.template +++ b/shared/templates/systemd_dropin_configuration/ansible.template @@ -3,45 +3,38 @@ # strategy = restrict # complexity = low # disruption = low -- name: Check for duplicate {{{ PARAM }}} values in master {{{ COMPONENT }}} configuration - ansible.builtin.lineinfile: - path: {{{ MASTER_CFG_FILE }}} - create: false - regexp: ^\s*{{{ PARAM }}}= - state: absent - check_mode: true - changed_when: false - register: dupes_master -- name: Deduplicate {{{ PARAM }}} values from {{{ COMPONENT }}} master configuration - ansible.builtin.lineinfile: - path: {{{ MASTER_CFG_FILE }}} - create: false - regexp: ^\s*{{{ PARAM }}}= - state: absent - when: dupes_master.found is defined and dupes_master.found > 1 - -- name: Collect all config {{{ COMPONENT }}} files which configure {{{ PARAM }}} +- name: "{{{ rule_title }}} - Search for a section in files" ansible.builtin.find: - paths: {{{ DROPIN_DIR }}} - contains: ^[\s]*{{{ PARAM }}}=.*$ - patterns: "*.conf" - register: {{{ COMPONENT }}}_{{{ PARAM }}}_dropin_config_files + paths: "{{item.path}}" + patterns: "{{item.pattern}}" + contains: "[{{{ SECTION }}}]" + read_whole_file: true + register: systemd_dropin_files_with_section + loop: + - path: "{{ '{{{ MASTER_CFG_FILE }}}' | dirname }}" + pattern: "{{ '{{{ MASTER_CFG_FILE }}}' | basename }}" + - path: "{{{ DROPIN_DIR }}}" + pattern: "*.conf" -- name: Deduplicate values from {{{ COMPONENT }}} {{{ PARAM }}} dropin configuration - ansible.builtin.lineinfile: - path: "{{ item.path }}" - create: false - regexp: ^\s*{{{ PARAM }}}= - state: absent - loop: "{{ {{{ COMPONENT }}}_{{{ PARAM }}}_dropin_config_files.files }}" +- name: "{{{ rule_title }}} - Add missing configuration to correct section" + ini_file: + path: "{{item}}" + section: {{{ SECTION }}} + option: {{{ PARAM }}} + value: "{{{ VALUE }}}" + state: present + no_extra_spaces: true + when: "{{systemd_dropin_files_with_section.results | map(attribute='matched') | list | map('int') | sum > 0}}" + loop: "{{systemd_dropin_files_with_section.results | sum(attribute='files', start=[]) | map(attribute='path') | list }}" -- name: Insert correct line to {{{ COMPONENT }}} {{{ PARAM }}} configuration - ansible.builtin.lineinfile: - path: {{{ DROPIN_DIR }}}/oscap-remedy.conf - create: true - regexp: ^\s*{{{ PARAM }}}= - line: {{{ PARAM }}}={{{ VALUE }}} +- name: "{{{ rule_title }}} - Add configuration to new remediation file" + ini_file: + path: "{{{ DROPIN_DIR }}}/oscap-remedy.conf" + section: {{{ SECTION }}} + option: {{{ PARAM }}} + value: "{{{ VALUE }}}" state: present - insertbefore: ^# {{{ PARAM }}} - validate: bash -n %s + no_extra_spaces: true + create: true + when: "{{systemd_dropin_files_with_section.results | map(attribute='matched') | list | map('int') | sum == 0}}"