Aling Ansible remediation with Bash

The sssd.conf should only modified if already present. It is not created by this remediation. Signed-off-by: Marcus Burghardt <[email protected]>
ComplianceAsCode · Nov 6, 2024 · d4ba4d3 · d4ba4d3
1 parent b191bdd
commit d4ba4d3
Showing 1 changed file with 5 additions and 15 deletions.
diff --git a/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml b/linux_os/guide/services/sssd/sssd_enable_pam_services/ansible/shared.yml
@@ -4,14 +4,14 @@
 # complexity = low
 # disruption = medium
 
-- name: {{{ rule_title }}} - Find all the conf files inside the /etc/sssd/conf.d/ directory
+- name: {{{ rule_title }}} - Find all conf files inside the /etc/sssd/conf.d/ directory
   ansible.builtin.find:
     paths:
     - "/etc/sssd/conf.d/"
     patterns: "*.conf"
   register: sssd_conf_d_files
 
-- name: {{{ rule_title }}} - Modify lines in files in the /etc/sssd/conf.d/ directory
+- name: {{{ rule_title }}} - Modify lines in files found in the /etc/sssd/conf.d/ directory
   ansible.builtin.replace:
     path: "{{ item }}"
     regexp: '^(\s*\[sssd\].*(?:\n\s*[^[\s].*)*\n\s*services\s*=(?!.*\bpam\b).*)$'
@@ -20,7 +20,7 @@
   register: modify_lines_sssd_conf_d_files
   when: sssd_conf_d_files.matched is defined and sssd_conf_d_files.matched >= 1
 
-- name: {{{ rule_title }}} - Find /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Check existence of /etc/sssd/sssd.conf
   ansible.builtin.stat:
     path: /etc/sssd/sssd.conf
   register: sssd_conf_file
@@ -33,17 +33,7 @@
   register: modify_lines_sssd_conf_file
   when: sssd_conf_file.stat.exists
 
-- name: {{{ rule_title }}} - Find services key in /etc/sssd/sssd.conf
-  ansible.builtin.replace:
-    path: "/etc/sssd/sssd.conf"
-    regexp: '^\s*\[sssd\][^\[\]]*?(?:\n(?!\[)[^\n]*?services\s*=)+'
-    replace: ''
-  changed_when: false
-  check_mode: true
-  register: sssd_conf_file_services
-  when: sssd_conf_file.stat.exists
-
-- name: {{{ rule_title }}} - Insert entry to /etc/sssd/sssd.conf
+- name: {{{ rule_title }}} - Ensure services entry in sssd section of /etc/sssd/sssd.conf
   ini_file:
     path: /etc/sssd/sssd.conf
     section: sssd
@@ -52,4 +42,4 @@
   when:
   - not modify_lines_sssd_conf_d_files.changed
   - not modify_lines_sssd_conf_file.changed
-  - (sssd_conf_file_services.msg is defined and "replacements" not in sssd_conf_file_services.msg) or not sssd_conf_file.stat.exists
+  - sssd_conf_file.stat.exists