fix(cis): add regexp to all lineinfile entries in security_lines.yml for idempotency

roles/cis/tasks/security_lines.yml

@@ -2,19 +2,30 @@
 - name: Add Security related lines into config files
   ansible.builtin.lineinfile:
     path: "{{ item.path }}"
+    regexp: "{{ item.regexp }}"
     line: "{{ item.content }}"
   loop:
-    - { path: /mnt/etc/security/limits.conf, content: "* hard core 0" }
+    - { path: /mnt/etc/security/limits.conf, regexp: '^\*\s+hard\s+core\s+', content: "* hard core 0" }
-    - { path: /mnt/etc/security/pwquality.conf, content: minlen = 14 }
+    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*minlen\s*=', content: minlen = 14 }
-    - { path: /mnt/etc/security/pwquality.conf, content: dcredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*dcredit\s*=', content: dcredit = -1 }
-    - { path: /mnt/etc/security/pwquality.conf, content: ucredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ucredit\s*=', content: ucredit = -1 }
-    - { path: /mnt/etc/security/pwquality.conf, content: ocredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*ocredit\s*=', content: ocredit = -1 }
-    - { path: /mnt/etc/security/pwquality.conf, content: lcredit = -1 }
+    - { path: /mnt/etc/security/pwquality.conf, regexp: '^\s*#?\s*lcredit\s*=', content: lcredit = -1 }
-    - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: umask 077 }
+    - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
-    - { path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}', content: export TMOUT=900 }
+      regexp: '^\s*umask\s+\d+'
-    - { path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}', content: Storage=persistent }
+      content: umask 077
-    - { path: /mnt/etc/sudoers, content: Defaults        logfile="/var/log/sudo.log" }
+    - path: '/mnt/etc/{{ "bashrc" if is_rhel else "bash.bashrc" }}'
-    - { path: /mnt/etc/pam.d/su, content: auth required pam_wheel.so }
+      regexp: '^\s*(export\s+)?TMOUT='
+      content: export TMOUT=900
+    - path: '/mnt/{{ "usr/lib/systemd/journald.conf" if is_rhel | bool else "etc/systemd/journald.conf" }}'
+      regexp: '^\s*#?\s*Storage='
+      content: Storage=persistent
+    - path: /mnt/etc/sudoers
+      regexp: '^\s*Defaults\s+logfile='
+      content: Defaults        logfile="/var/log/sudo.log"
+    - path: /mnt/etc/pam.d/su
+      regexp: '^\s*#?\s*auth\s+required\s+pam_wheel\.so'
+      content: auth required pam_wheel.so
     - path: >-
         /mnt/etc/{{
           "pam.d/common-auth"
@@ -23,6 +34,7 @@
           if os == "fedora"
           else "pam.d/system-auth"
         }}
+      regexp: '^\s*auth\s+required\s+pam_faillock\.so'
       content: >-
         auth required pam_faillock.so onerr=fail audit silent deny=5 unlock_time=900
     - path: >-
@@ -33,6 +45,7 @@
           if os == "fedora"
           else "pam.d/system-auth"
         }}
+      regexp: '^\s*account\s+required\s+pam_faillock\.so'
       content: account required pam_faillock.so
     - path: >-
         /mnt/etc/pam.d/{{
@@ -40,9 +53,10 @@
           if is_debian | bool
           else "passwd"
         }}
+      regexp: '^\s*password\s+\[success=1.*\]\s+pam_unix\.so'
       content: >-
         password [success=1 default=ignore] pam_unix.so obscure sha512 remember=5
-    - { path: /mnt/etc/hosts.deny, content: "ALL: ALL" }
+    - { path: /mnt/etc/hosts.deny, regexp: '^ALL:\s*ALL', content: "ALL: ALL" }
-    - { path: /mnt/etc/hosts.allow, content: "sshd: ALL" }
+    - { path: /mnt/etc/hosts.allow, regexp: '^sshd:\s*ALL', content: "sshd: ALL" }
   loop_control:
     label: "{{ item.content }}"