File: ansible.template

package info (click to toggle)
scap-security-guide 0.1.76-1
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 110,644 kB
  • sloc: xml: 241,883; sh: 73,777; python: 32,527; makefile: 27
file content (107 lines) | stat: -rw-r--r-- 4,573 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
 
# platform = multi_platform_sle,multi_platform_slmicro5
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low

# NOTE(gyee): Ansible's pamd module is very rigid, it doesn't do
# what we wanted, which is to conditionally replace an existing value
# if it doesn't match what we wanted. Till someday some good samaritan
# updated the Ansible pamd module to do that, we will need to use regexp
# for now.


# declare the XCCDF vars if any
{{% for arg in ARGUMENTS %}}
{{% if arg['variable']|length %}}
- (xccdf-var var_password_pam_{{{ arg['variable'] }}})
{{% endif %}}
{{% endfor %}}

- name: Set control_flag fact
  set_fact:
    control_flag: '{{{ CONTROL_FLAG }}}'

- name: Check to see if '{{{ MODULE }}}' module is configured in '{{{ PATH }}}'
  shell: |
    set -o pipefail
    grep -E '^\s*{{{ TYPE }}}\s+\S+\s+{{{ MODULE }}}' {{{ PATH }}} || true
  register: check_pam_module_result

- name: Configure '{{{ MODULE }}}' module in '{{{ PATH }}}'
  lineinfile:
    path: {{{ PATH }}}
    line: '{{{ TYPE }}} {{{ CONTROL_FLAG }}} {{{ MODULE }}}'
    state: present
  when: check_pam_module_result.stdout is defined and '"{{{ MODULE }}}" not in check_pam_module_result.stdout'

- name: Ensure '{{{ MODULE }}}' module has conforming control flag
  lineinfile:
    path: {{{ PATH }}}
    regexp: '^(\s*{{{ TYPE }}}\s+)\S+(\s+{{{ MODULE }}}\s+.*)'
    line: '\g<1>{{{ CONTROL_FLAG }}}\g<2>'
    backrefs: yes
  when: control_flag|length

{{% for arg in ARGUMENTS %}}
# NOTE: if 'remove_argument' is present and set to some value, we assume
# user's intention is to remove the argument. Therefore, no need to check what
# it is set to.
{{% if arg['remove_argument']|length %}}
- name: Remove argument '{{{ arg['argument'] }}}' from '{{{ MODULE }}}' module
  replace:
    path: {{{ PATH }}}
    regexp: '^(\s*{{{ TYPE }}}\s+\S+\s+{{{ MODULE }}}(?:\s+\S+)*)\s+{{{ arg['argument'] }}}(?:=\S+)?((\s+\S+)*\s*\\*\s*)$'
    replace: '\1\2'
{{% elif arg['variable']|length %}}
# NOTE(gyee): if 'var' is used, user is meant to set the argument to a
# static value

- name: Ensure "{{{ MODULE }}}" module has argument "{{{ arg['variable'] }}}={{ var_password_pam_{{{ arg['variable'] }}} }}"
  lineinfile:
    path: {{{ PATH }}}
    regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}(?:\s+\S+)*\s+{{{ arg['variable'] }}}=)(?:\S+)((\s+\S+)*\s*\\*\s*)$'
    line: '\g<1>{{ var_password_pam_{{{ arg['variable'] }}} }}\g<2>'
    backrefs: yes

- name: Check the presence of "{{{ arg['variable'] }}}" argument in "{{{ MODULE }}}" module
  shell: |
    set -o pipefail
    grep -E '^\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s+{{{ arg['variable'] }}}(=|\s|\s*$)' {{{ PATH }}} || true
  register: check_pam_module_argument_result

- name: Add "{{{ arg['variable'] }}}" argument to "{{{ MODULE }}}" module
  lineinfile:
    path: {{{ PATH }}}
    regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}})((\s+\S+)*\s*(\\)*$)'
    line: '\g<1> {{{ arg['variable'] }}}={{ var_password_pam_{{{ arg['variable'] }}} }}\g<2>'
    backrefs: yes
  when: check_pam_module_argument_result is not skipped and '"{{{ arg['variable'] }}}" not in check_pam_module_argument_result.stdout'
{{% else %}}
- name: Set argument_value fact
  set_fact:
    argument_value: "{{{ arg['argument_value'] }}}"

- name: Ensure "{{{ MODULE }}}" module has argument {{% if arg['argument_value']|string|length %}}"{{{ arg['argument'] }}}={{{ arg['argument_value'] }}}"{{% else %}}"{{{ arg['argument'] }}}"{{% endif %}}
  lineinfile:
    path: {{{ PATH }}}
    regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}(?:\s+\S+)*\s+{{{ arg['argument'] }}}=)(?!{{{ arg['argument_match'] }}})\S*((\s+\S+)*\s*\\*\s*)$'
    line: '\g<1>{{{ arg['argument_value'] }}}\g<2>'
    backrefs: yes
  when: argument_value|length

- name: Check the presence of "{{{ arg['argument'] }}}" argument in "{{{ MODULE }}}" module
  shell: |
    set -o pipefail
    grep -E '^\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}}.*\s+{{{ arg['argument'] }}}(=|\s|\s*$)' {{{ PATH }}} || true
  register: check_pam_module_argument_result

- name: Add "{{{ arg['argument'] }}}" argument to "{{{ MODULE }}}" module
  lineinfile:
    path: {{{ PATH }}}
    regexp: '^(\s*{{{ TYPE }}}\s+{{{ CONTROL_FLAG }}}\s+{{{ MODULE }}})((\s+\S+)*\s*(\\)*$)'
    line: '\g<1> {{{ arg['new_argument'] }}}\g<2>'
    backrefs: yes
  when: check_pam_module_argument_result is not skipped and '"{{{ arg['argument'] }}}" not in check_pam_module_argument_result.stdout'
{{% endif %}}
{{% endfor %}}