update Ansible remediation of the template to be aligned with Bash

ComplianceAsCode · Jul 8, 2024 · e12a7c9 · e12a7c9
1 parent 893536e
commit e12a7c9
Showing 1 changed file with 48 additions and 36 deletions.
diff --git a/shared/templates/systemd_dropin_configuration/ansible.template b/shared/templates/systemd_dropin_configuration/ansible.template
@@ -3,45 +3,57 @@
 # strategy = restrict
 # complexity = low
 # disruption = low
-- name: Check for duplicate {{{ PARAM }}} values in master {{{ COMPONENT }}} configuration
- ansible.builtin.lineinfile:
- path: {{{ MASTER_CFG_FILE }}}
- create: false
- regexp: ^\s*{{{ PARAM }}}=
- state: absent
- check_mode: true
- changed_when: false
- register: dupes_master
 
-- name: Deduplicate {{{ PARAM }}} values from {{{ COMPONENT }}} master configuration
- ansible.builtin.lineinfile:
- path: {{{ MASTER_CFG_FILE }}}
- create: false
- regexp: ^\s*{{{ PARAM }}}=
- state: absent
- when: dupes_master.found is defined and dupes_master.found > 1
+#- name: "{{{ rule_title }}} - Initialize list of files with the master file"
+# ansible.builtin.set_fact:
+# systemd_dropin_all_files:
+# - {{{ MASTER_CFG_FILE }}}
 
-- name: Collect all config {{{ COMPONENT }}} files which configure {{{ PARAM }}}
+#- name: "{{{ rule_title }}} - create list of files in {{{ DROPIN_DIR }}} to be searched"
+## ansible.builtin.find:
+# paths: {{{ DROPIN_DIR }}}
+# patterns: "*.conf"
+# recurse: false
+# register: systemd_dropin_files
+
+#- name: "{{{ rule_title }}} - Append found dropin files"
+# ansible.builtin.set_fact:
+# systemd_dropin_all_files:
+# - {{{ MASTER_CFG_FILE }}}
+# - "{{ systemd_dropin_files.files | map(attribute='path') | list }}"
+# when: systemd_dropin_files is defined and systemd_dropin_files.matched > 0
+
+- name: "{{{ rule_title }}} - Search for a section in files"
  ansible.builtin.find:
- paths: {{{ DROPIN_DIR }}}
- contains: ^[\s]*{{{ PARAM }}}=.*$
- patterns: "*.conf"
- register: {{{ COMPONENT }}}_{{{ PARAM }}}_dropin_config_files
+ paths: "{{item.path}}"
+ patterns: "{{item.pattern}}"
+ contains: "[{{{ SECTION }}}]"
+ read_whole_file: true
+ register: systemd_dropin_files_with_section
+ loop:
+ - path: "{{ '{{{ MASTER_CFG_FILE }}}' | dirname }}"
+ pattern: "{{ '{{{ MASTER_CFG_FILE }}}' | basename }}"
+ - path: "{{{ DROPIN_DIR }}}"
+ pattern: "*.conf"
 
-- name: Deduplicate values from {{{ COMPONENT }}} {{{ PARAM }}} dropin configuration
- ansible.builtin.lineinfile:
- path: "{{ item.path }}"
- create: false
- regexp: ^\s*{{{ PARAM }}}=
- state: absent
- loop: "{{ {{{ COMPONENT }}}_{{{ PARAM }}}_dropin_config_files.files }}"
+- name: "{{{ rule_title }}} - Add missing configuration to correct section"
+ ini_file:
+ path: "{{item}}"
+ section: {{{ SECTION }}}
+ option: {{{ PARAM }}}
+ value: "{{{ VALUE }}}"
+ state: present
+ no_extra_spaces: true
+ when: "{{systemd_dropin_files_with_section.results | map(attribute='matched') | list | map('int') | sum > 0}}"
+ loop: "{{systemd_dropin_files_with_section.results | sum(attribute='files', start=[]) | map(attribute='path') | list }}"
 
-- name: Insert correct line to {{{ COMPONENT }}} {{{ PARAM }}} configuration
- ansible.builtin.lineinfile:
- path: {{{ DROPIN_DIR }}}/oscap-remedy.conf
- create: true
- regexp: ^\s*{{{ PARAM }}}=
- line: {{{ PARAM }}}={{{ VALUE }}}
+- name: "{{{ rule_title }}} - Add configuration to new remediation file"
+ ini_file:
+ path: "{{{ DROPIN_DIR }}}/oscap-remedy.conf"
+ section: {{{ SECTION }}}
+ option: {{{ PARAM }}}
+ value: "{{{ VALUE }}}"
  state: present
- insertbefore: ^# {{{ PARAM }}}
- validate: bash -n %s
+ no_extra_spaces: true
+ create: true
+ when: "{{systemd_dropin_files_with_section.results | map(attribute='matched') | list | map('int') | sum == 0}}"