From e12a7c9591865e82d0903a7d6b64e29aa3c5e9df Mon Sep 17 00:00:00 2001 From: Vojtech Polasek Date: Thu, 4 Jul 2024 18:12:13 +0200 Subject: [PATCH] update Ansible remediation of the template to be aligned with Bash --- .../ansible.template | 84 +++++++++++-------- 1 file changed, 48 insertions(+), 36 deletions(-) diff --git a/shared/templates/systemd_dropin_configuration/ansible.template b/shared/templates/systemd_dropin_configuration/ansible.template index e3b409094669..f68e3a0bb852 100644 --- a/shared/templates/systemd_dropin_configuration/ansible.template +++ b/shared/templates/systemd_dropin_configuration/ansible.template @@ -3,45 +3,57 @@ # strategy = restrict # complexity = low # disruption = low -- name: Check for duplicate {{{ PARAM }}} values in master {{{ COMPONENT }}} configuration - ansible.builtin.lineinfile: - path: {{{ MASTER_CFG_FILE }}} - create: false - regexp: ^\s*{{{ PARAM }}}= - state: absent - check_mode: true - changed_when: false - register: dupes_master -- name: Deduplicate {{{ PARAM }}} values from {{{ COMPONENT }}} master configuration - ansible.builtin.lineinfile: - path: {{{ MASTER_CFG_FILE }}} - create: false - regexp: ^\s*{{{ PARAM }}}= - state: absent - when: dupes_master.found is defined and dupes_master.found > 1 +#- name: "{{{ rule_title }}} - Initialize list of files with the master file" +# ansible.builtin.set_fact: +# systemd_dropin_all_files: +# - {{{ MASTER_CFG_FILE }}} -- name: Collect all config {{{ COMPONENT }}} files which configure {{{ PARAM }}} +#- name: "{{{ rule_title }}} - create list of files in {{{ DROPIN_DIR }}} to be searched" +## ansible.builtin.find: +# paths: {{{ DROPIN_DIR }}} +# patterns: "*.conf" +# recurse: false +# register: systemd_dropin_files + +#- name: "{{{ rule_title }}} - Append found dropin files" +# ansible.builtin.set_fact: +# systemd_dropin_all_files: +# - {{{ MASTER_CFG_FILE }}} +# - "{{ systemd_dropin_files.files | map(attribute='path') | list }}" +# when: systemd_dropin_files is defined and systemd_dropin_files.matched > 0 + +- name: "{{{ rule_title }}} - Search for a section in files" ansible.builtin.find: - paths: {{{ DROPIN_DIR }}} - contains: ^[\s]*{{{ PARAM }}}=.*$ - patterns: "*.conf" - register: {{{ COMPONENT }}}_{{{ PARAM }}}_dropin_config_files + paths: "{{item.path}}" + patterns: "{{item.pattern}}" + contains: "[{{{ SECTION }}}]" + read_whole_file: true + register: systemd_dropin_files_with_section + loop: + - path: "{{ '{{{ MASTER_CFG_FILE }}}' | dirname }}" + pattern: "{{ '{{{ MASTER_CFG_FILE }}}' | basename }}" + - path: "{{{ DROPIN_DIR }}}" + pattern: "*.conf" -- name: Deduplicate values from {{{ COMPONENT }}} {{{ PARAM }}} dropin configuration - ansible.builtin.lineinfile: - path: "{{ item.path }}" - create: false - regexp: ^\s*{{{ PARAM }}}= - state: absent - loop: "{{ {{{ COMPONENT }}}_{{{ PARAM }}}_dropin_config_files.files }}" +- name: "{{{ rule_title }}} - Add missing configuration to correct section" + ini_file: + path: "{{item}}" + section: {{{ SECTION }}} + option: {{{ PARAM }}} + value: "{{{ VALUE }}}" + state: present + no_extra_spaces: true + when: "{{systemd_dropin_files_with_section.results | map(attribute='matched') | list | map('int') | sum > 0}}" + loop: "{{systemd_dropin_files_with_section.results | sum(attribute='files', start=[]) | map(attribute='path') | list }}" -- name: Insert correct line to {{{ COMPONENT }}} {{{ PARAM }}} configuration - ansible.builtin.lineinfile: - path: {{{ DROPIN_DIR }}}/oscap-remedy.conf - create: true - regexp: ^\s*{{{ PARAM }}}= - line: {{{ PARAM }}}={{{ VALUE }}} +- name: "{{{ rule_title }}} - Add configuration to new remediation file" + ini_file: + path: "{{{ DROPIN_DIR }}}/oscap-remedy.conf" + section: {{{ SECTION }}} + option: {{{ PARAM }}} + value: "{{{ VALUE }}}" state: present - insertbefore: ^# {{{ PARAM }}} - validate: bash -n %s + no_extra_spaces: true + create: true + when: "{{systemd_dropin_files_with_section.results | map(attribute='matched') | list | map('int') | sum == 0}}"