Help with lineinfile

Archives Ansible Project
1

I’m having a problem wrapping my head around something. There are other solutions out there that would solve my problem, but in the interest in learning to do something different I’m hoping someone can point out what I’m doing wrong with the lineinfile module.

I grep a file for a line with a specific line. The file line is “auth required pam_faillock.so preauth silent deny=3 unlock_time=604800 fail_interval=900” and I want to verify that it’s there exactly. If it is there but not exact, I want to change it. If it’s missing I want to add it it a specific spot. The only way I’ve been able to make it works is search and delete any line with the word “pam_faillock.so” in it and then run the module to add the line where it should be. What I have below works, but every time I run it, it changes the file even if the line is correct of obvious reasons. Any suggestions? Am I using the wrong module to complete this task? Thanks for the help.

  • name: system-auth-ac - Delete current pam_faillock lines
    tags: [ ‘pam’ , ‘system-auth-ac’ , ‘common’ ]
    lineinfile: “dest=/etc/pam.d/system-auth-ac regexp=‘pam_faillock.so’ state=absent”

  • name: Configure system-auth-ac
    tags: [ ‘pam’ , ‘system-auth-ac’ , ‘common’ ]
    lineinfile: “dest=/etc/pam.d/system-auth-ac insertbefore=‘^auth sufficient pam_unix.so’ regexp={{ item.r }} line={{ item.l }}”
    with_items:

  • { r: ‘^auth required pam_faillock.so’, l: “{{ pam_faillock_pre }}” }

2

what being used on our side.

- name: track_failed_logins_with_pam_faillock - auth in /etc/pam.d
  lineinfile: 
    dest: "/etc/pam.d/{{ item }}"
    state: present
    regexp: '^auth\s+required\s+pam_faillock.so\s+preauth\s+silent\s+audit\s+deny={{ pam_faillock_deny }}\s+unlock_time={{ pam_faillock_unlock_time }}'
    line: "auth        required      pam_faillock.so preauth silent audit deny={{ pam_faillock_deny }} unlock_time={{ pam_faillock_unlock_time }}"
    insertbefore: '^auth\s+sufficient\s+pam_unix.so\s+nullok\s+try_first_pass.*'
  with_items:
    - 'system-auth-ac'
    - 'password-auth-ac'
  tags:
    - faillock5
3

Thanks very much Philippe for the post. That’s exactly what I’m trying to do. I’m still having an issue though with what you have below. If I change one of the variables, pam_fallock_unlock_time for example, it just adds another line instead of replacing the line. So I end up with two pam_faillock.so lines. I’m tinkering with it though. This gives me a good lead on what direction to look though. Thanks again!

4

Mike,

Glad it helped a bit and thanks for pointing the current limitation, I will also see how to address it.

Generally we are leveraging the lineinfile module when working in remediation context where we want
to change one of the settings and not the whole file (in that later case the template module is better)

In that case this is more for original settings of the pam stack, and we do not generally change the values after.
So was good enough for us.
But making remediation generic enough can be hard, as shown by this case.

Thanks

Phil

5

Phil,

I need to learn more about how temples work because there are several things where it would be most useful. It’s a little confusing to me at the moment.

I wanted to just update this thread that when I shortened the regexp line in your example (like I have below), it worked exactly right every time and stopped duplicating. So thanks again. :slight_smile:

regexp: ‘^auth\s+required\s+pam_faillock.so’

Mike