Use replace module instead of lineinfile for disabling dynamic motd

Lineinfile module can manage only single occurance of line in the file, while pam.d/sshd contains multiple occurances of pam_motd which results in not disabling it fully. In order to properly comment out/uncomment all occurances replace module should be used instead. Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
2024-01-29 17:24:06 +01:00 · 2024-01-29 17:24:06 +01:00 · db284ddf93
commit db284ddf93
parent ced5df4956
1 changed files with 3 additions and 4 deletions
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@ -149,10 +149,9 @@
    - sshd
    - V-72257

- name: Remove motd from pam.d
-  lineinfile:
+- name: Manage motd in pam.d
+  replace:
    path: /etc/pam.d/sshd
    regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
-    line: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
-    backrefs: yes
+    replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
  when: security_sshd_dynamic_banner_disable | bool