openstack/ansible-hardening
Code Issues Proposed changes

Use replace module instead of lineinfile for disabling dynamic motd

Browse Source 
Lineinfile module can manage only single occurance of line in the file,
while pam.d/sshd contains multiple occurances of pam_motd which
results in not disabling it fully.

In order to properly comment out/uncomment all occurances replace module
should be used instead.

Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
(cherry picked from commit db284ddf93dae00fecec76618cb1f743101019de)
This commit is contained in:
Dmitriy Rabotyagov 2024-01-29 17:24:06 +01:00 committed by Dmitriy Rabotyagov
parent 7a4d7aa4de
commit 6b113f9a3e
1 changed files with 3 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
tasks/rhel7stig/sshd.yml
View File

@ -149,10 +149,9 @@
- sshd
- V-72257
- name: Remove motd from pam.d
lineinfile:
- name: Manage motd in pam.d
replace:
path: /etc/pam.d/sshd
regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
line: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
backrefs: yes
replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
when: security_sshd_dynamic_banner_disable | bool