Describe the Issue
It appears that the following task does not run when it should. I believe it is because the regexp is far too exact and isn't matching the actual line in a more general way.
- name: "5.4.3 | PATCH | Ensure password reuse is limited | Set remember value if pam_unix does exist"
ansible.builtin.lineinfile:
path: /etc/pam.d/common-password
regexp: '^(?P<begin>[^\S\n]*password[^\S\n]+.*pam_unix.so[^\S\n]+)(?P<remember>(?P<before>.+?)remember=[0-9]+[^\S\n]?)?(?P<after>.*)$'
line: '\g<begin>\g<before>remember={{ ubtu22cis_pamd_pwhistory_remember }} \g<after>'
backrefs: true
when:
- ubtu22cis_5_4_3_pam_unix_state.stdout | length > 0
- "'remember' not in ubtu22cis_5_4_3_pam_unix_state.stdout"
Expected Behavior
The remember={{ ubtu22cis_pamd_pwhistory_remember }} option should be added.
So it appears that when the remember option doesn't exist, it won't try updating that line.
Control(s) Affected
5.4.3
Possible Solution
Make the regex simpler and more generic to match key parts of the line instead of trying to match the whole exact line. You can also add the insertafter option to add the line if the regexp doesn't match. That would ensure the line exists.
Describe the Issue It appears that the following task does not run when it should. I believe it is because the regexp is far too exact and isn't matching the actual line in a more general way.
Expected Behavior The
remember={{ ubtu22cis_pamd_pwhistory_remember }}option should be added.Actual Behavior My printout of the grep line is:
So it appears that when the remember option doesn't exist, it won't try updating that line.
Control(s) Affected 5.4.3
Possible Solution Make the regex simpler and more generic to match key parts of the line instead of trying to match the whole exact line. You can also add the
insertafteroption to add the line if the regexp doesn't match. That would ensure the line exists.