From 154762f71d9392a7f4fa094d41b48cc98b011f83 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@cleura.com>
Date: Mon, 29 Jan 2024 17:24:06 +0100
Subject: [PATCH] Use replace module instead of lineinfile for disabling
 dynamic motd

Lineinfile module can manage only single occurance of line in the file,
while pam.d/sshd contains multiple occurances of pam_motd which
results in not disabling it fully.

In order to properly comment out/uncomment all occurances replace module
should be used instead.

Change-Id: I73babb2431d4fda5aa90d9a1e230c1796449c0fc
(cherry picked from commit db284ddf93dae00fecec76618cb1f743101019de)
---
 tasks/rhel7stig/sshd.yml | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/tasks/rhel7stig/sshd.yml b/tasks/rhel7stig/sshd.yml
index bae6f935..661696e4 100644
--- a/tasks/rhel7stig/sshd.yml
+++ b/tasks/rhel7stig/sshd.yml
@@ -148,10 +148,9 @@
     - sshd
     - V-72257
 
-- name: Remove motd from pam.d
-  lineinfile:
+- name: Manage motd in pam.d
+  replace:
     path: /etc/pam.d/sshd
     regexp: '^(#\s)?(session\s*optional\s*pam_motd.so.*)$'
-    line: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
-    backrefs: yes
+    replace: '{{ (security_sshd_dynamic_banner_disable | bool) | ternary("# \2", "\2") }}'
   when: security_sshd_dynamic_banner_disable | bool