RHEL-07-010119 is potentially not idempotent

[danbarr]

Describe the Issue RHEL-07-010119 is potentially not idempotent

When running some tasks against existing systems, I noticed that RHEL-07-010119 was adding a duplicate line in /etc/pam.d/system-auth.

Anything that causes pam.d files to be re-formatted (in my case, I think it was Centrify, but I think authconfig and sssd will do the same) will realign the alignment spaces between "password" and "required", so the task regexp no longer matches. Replacing the space with \s+ will make it match even in this situation.

RHEL-07-010118 has the same potential but since both the regex and line have the default spacing it hasn't been an issue for me, but for safety it could be tweaked too (see below).

Expected Behavior Task should not add another copy of the line if file has been re-formatted.

Actual Behavior Task adds a duplicate line if something has re-formatted the file to align the entries with extra spaces.

Control(s) Affected RHEL-07-010119, and possibly RHEL-07-010118

Possible Solution For RHEL-07-010119, replace: https://github.com/ansible-lockdown/RHEL7-STIG/blob/7eb9d55858c212ccf870f75c6643d96293bb15b9/tasks/fix-cat2.yml#L233-L234

With:

      regexp: '^#?password\s+required pam_pwquality.so retry'
      line: password   required pam_pwquality.so retry=3

(also showing updated line: with the default spacing)

And RHEL-07-010118 could be made safer by updating: https://github.com/ansible-lockdown/RHEL7-STIG/blob/7eb9d55858c212ccf870f75c6643d96293bb15b9/tasks/fix-cat2.yml#L216

to:

      regexp: '^password\s+substack\s+system-auth'