Simple lineinfile, but make it idempotent

[Schrock, Chad - 0336 - MITLL]

 

Hi everyone,

 

I am really having a very Monday Monday today and am just having a fit with my regex. I’m working on implementing part of the DISA STIG for RHEL 9 and need to edit /etc/bashrc, specifically:

 

    # Set default umask for non-login shell only if it is set to 0

    [ `umask` -eq 0 ] && umask 022

 

I need to change that “umask 022” to “umask 077” and I’ve gotten as far as this:

 

- name: RHEL-09-412055 | RHEL 9 must define default permissions for the bash shell

  ansible.builtin.lineinfile:

    path: /etc/bashrc

    regexp: \sumask\s\d{3}

    line: "[ `umask` -eq 0 ] && umask 077"

 

 

But then realized that the regexp and replacement isn’t idempotent and since then my brain has just decided to go on a little vacation by itself.

 

I was thinking about some sort of capture group and then something saying “if <capture group> != ‘077’,” but I think I completely lost the plot at that point.

 

Thank you for any help on this Mondayest of Mondays.

 

 

 

--

Chad Schrock, he/him

Supporting MIT Lincoln Laboratory, Lexington, MA

 

[Rilindo Foster]

Hi Chad,

I think you are on the right track. If you can read the file into memory, you should be able to grep to confirm if the entry exists in file or not before actually making the change.

-- 
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/PH1P110MB14443DB4A6FBB2E6DD135DA8B3B3A%40PH1P110MB1444.NAMP110.PROD.OUTLOOK.COM.

[Todd Lewis]

Hey Chad,

What makes you think the regex and replacement aren't idempotent?
I just ran your task twice. The first time it changes the line as expected. The second time it makes no change.

I think it's right, but feel free to persuade me otherwise.
--
Todd

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/PH1P110MB14443DB4A6FBB2E6DD135DA8B3B3A%40PH1P110MB1444.NAMP110.PROD.OUTLOOK.COM.

-- 
Todd

[Schrock, Chad - 0336 - MITLL]

 

Hi Todd,

 

<insert Picard facepalm.gif>

 

Thank you and Rilindo for looking at this. I just got too inside of my head yesterday. You’re right, this does work as expected.

 

(I probably should have just stayed in bed yesterday.)

 

Thank you all so much,

Chad

 

--

Chad Schrock, he/him

Supporting MIT Lincoln Laboratory, Lexington, MA

 

From: ansible...@googlegroups.com <ansible...@googlegroups.com> On Behalf Of Todd Lewis
Sent: Monday, November 13, 2023 2:02 PM
To: ansible...@googlegroups.com
Cc: uto...@gmail.com
Subject: [EXT] Re: [ansible-project] Simple lineinfile, but make it idempotent

 

Hey Chad, What makes you think the regex and replacement aren't idempotent? I just ran your task twice. The first time it changes the line as expected. The second time it makes no change. I think it's right, but feel free to persuade me otherwise. 

ZjQcmQRYFpfptBannerStart

ZjQcmQRYFpfptBannerEnd

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/596f6d8d-cb50-43af-b14d-311a4a3050e2%40gmail.com.

[Evan Hisey]

For about 90% of the STIG settings, you can use the openscap workbench and it will dump you and ansible option for the STIG setting. Your probably don't want to use the full stig raw Ansible dump (it is scary, like real scary). But it is great for finding individual settings.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/PH1P110MB144426041C28C2280D6D6E50B3B2A%40PH1P110MB1444.NAMP110.PROD.OUTLOOK.COM.