Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Ansible remediation to sssd_enable_pam_services #11796

Merged
merged 9 commits into from
Apr 15, 2024
Original file line number Diff line number Diff line change
@@ -0,0 +1,54 @@
# platform = multi_platform_all
# reboot = false
# strategy = configure
# complexity = low
# disruption = medium

- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory
ansible.builtin.find:
paths:
- "/etc/sssd/conf.d/"
patterns: "*.conf"
register: sssd_conf_d_files

- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory
ansible.builtin.replace:
path: "{{ item }}"
regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
replace: '\1,pam'
marcusburghardt marked this conversation as resolved.
Show resolved Hide resolved
with_items: "{{ sssd_conf_d_files.files | map(attribute='path') }}"
register: modify_lines_sssd_conf_d_files

- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf
ansible.builtin.stat:
path: /etc/sssd/sssd.conf
register: sssd_conf_file

- name: {{{ rule_title }}} - Modify lines in /etc/sssd/sssd.conf
ansible.builtin.replace:
path: "/etc/sssd/sssd.conf"
regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
replace: '\1,pam'
register: modify_lines_sssd_conf_file
when: sssd_conf_file.stat.exists

- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf
ansible.builtin.replace:
path: "/etc/sssd/sssd.conf"
regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+'
replace: ''
changed_when: false
check_mode: true
register: sssd_conf_file_services
when: sssd_conf_file.stat.exists

- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf
ini_file:
path: /etc/sssd/sssd.conf
section: sssd
option: services
value: pam
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is an issue with this last task. It is here to ensure a case where the services line is not present in [sssd]. However in most cases, if not all cases, the services is already there and commonly would include more services instead of only pam.
For example, if the line is:
services = nss,pam
This last task will remove nss and leave the line as services = pam. This is not desired.

I believe the way to solve this is creating another task in check mode only to test if there is already a line with services = * and use the result in this last task.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when:
- not modify_lines_sssd_conf_d_files.changed
- not modify_lines_sssd_conf_file.changed
- (sssd_conf_file_services.msg is defined and "replacements" not in sssd_conf_file_services.msg) or not sssd_conf_file.stat.exists
Original file line number Diff line number Diff line change
Expand Up @@ -2,11 +2,10 @@
# packages = sssd
#

SSSD_SERVICES_REGEX_SHORT="^[[:space:]]*services.*$"
SSSD_CONF="/etc/sssd/sssd.conf"

rm -rf /etc/sssd/conf.d/
rm -f SSSD_CONF
rm -f $SSSD_CONF
cat <<EOF > $SSSD_CONF
[sssd]
section1 = key
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
#!/bin/bash
# packages = sssd

rm -rf "/etc/sssd/conf.d/"
rm -f "/etc/sssd/sssd.conf"
mkdir -p "/etc/sssd/conf.d/"
cat <<EOF > "/etc/sssd/conf.d/sssd.conf"
[sssd]
services = nss,pam
[pam]
example1 = abc
EOF
Loading