openstack/ansible-hardening
Code Issues Proposed changes

Use replace module instead of lineinfile for disabling dynamic motd

Browse Source 
Lineinfile module can manage only single occurance of line in the file,
while pam.d/sshd contains multiple occurances of pam_motd which
results in not disabling it fully.

In order to properly comment out/uncomment all occurances replace module
should be used instead.

Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
This commit is contained in:
Dmitriy Rabotyagov 2024-01-29 17:24:06 +01:00 committed by Dmitriy Rabotyagov
parent ced5df4956
commit db284ddf93
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
tasks/rhel7stig/sshd.yml
View File

@ -149,10 +149,9 @@
- sshd - sshd
- V-72257 - V-72257
- name: Remove motd from pam.d - name: Manage motd in pam.d
lineinfile: replace:
path: /etc/pam.d/sshd path: /etc/pam.d/sshd
regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$' regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
line: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}' replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
backrefs: yes
when: security_sshd_dynamic_banner_disable | bool when: security_sshd_dynamic_banner_disable | bool