I am really having a very Monday Monday today and am just having a fit with my regex. I’m working on implementing part of the DISA STIG for RHEL 9 and need to edit /etc/bashrc, specifically:
Set default umask for non-login shell only if it is set to 0
[ umask -eq 0 ] && umask 022
I need to change that “umask 022” to “umask 077” and I’ve gotten as far as this:
name: RHEL-09-412055 | RHEL 9 must define default permissions for the bash shell
ansible.builtin.lineinfile:
path: /etc/bashrc
regexp: \sumask\s\d{3}
line: “[ umask -eq 0 ] && umask 077”
But then realized that the regexp and replacement isn’t idempotent and since then my brain has just decided to go on a little vacation by itself.
I was thinking about some sort of capture group and then something saying “if != ‘077’,” but I think I completely lost the plot at that point.
Thank you for any help on this Mondayest of Mondays.
I think you are on the right track. If you can read the file into memory, you should be able to grep to confirm if the entry exists in file or not before actually making the change.
What makes you think the regex and replacement aren’t idempotent?
I just ran your task twice. The first time it changes the line as expected. The second time it makes no change.
I think it’s right, but feel free to persuade me otherwise.
For about 90% of the STIG settings, you can use the openscap workbench and it will dump you and ansible option for the STIG setting. Your probably don’t want to use the full stig raw Ansible dump (it is scary, like real scary). But it is great for finding individual settings.
