Home Original page

Patch ansible remediation for postfix_network_listening_disabled rule by teacup-on-rockingchair · Pull Request #14394 · ComplianceAsCode/content

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' differs.
--- xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
+++ xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
@@ -20,9 +20,34 @@
   tags:
     - always
 
-- name: Gather list of packages
-  ansible.builtin.package_facts:
-    manager: auto
+- name: Make changes to Postfix configuration file
+  block:
+
+  - name: Check for duplicate values
+    ansible.builtin.lineinfile:
+      path: /etc/postfix/main.cf
+      create: false
+      regexp: (?i)^inet_interfaces\s*=\s*.*$
+      state: absent
+    check_mode: true
+    changed_when: false
+    register: dupes
+
+  - name: Deduplicate values from /etc/postfix/main.cf
+    ansible.builtin.lineinfile:
+      path: /etc/postfix/main.cf
+      create: false
+      regexp: (?i)^inet_interfaces\s*=\s*.*$
+      state: absent
+    when: dupes.found is defined and dupes.found > 1
+
+  - name: Insert correct line to /etc/postfix/main.cf
+    ansible.builtin.lineinfile:
+      path: /etc/postfix/main.cf
+      create: false
+      regexp: (?i)^inet_interfaces\s*=\s*.*$
+      line: inet_interfaces = {{ var_postfix_inet_interfaces }}
+      state: present
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"postfix" in ansible_facts.packages'
@@ -39,29 +64,3 @@
   - no_reboot_needed
   - postfix_network_listening_disabled
   - restrict_strategy
-
-- name: Make changes to Postfix configuration file
-  ansible.builtin.lineinfile:
-    path: /etc/postfix/main.cf
-    create: false
-    regexp: (?i)^inet_interfaces\s*=\s.*
-    line: inet_interfaces = {{ var_postfix_inet_interfaces }}
-    state: present
-    insertafter: ^inet_interfaces\s*=\s.*
-  when:
-  - '"kernel-core" in ansible_facts.packages'
-  - '"postfix" in ansible_facts.packages'
-  - '"postfix" in ansible_facts.packages'
-  tags:
-  - CCE-82174-4
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - PCI-DSSv4-1.4
-  - PCI-DSSv4-1.4.2
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - postfix_network_listening_disabled
-  - restrict_strategy