Patch ansible remediation for postfix_network_listening_disabled rule

[teacup-on-rockingchair]

Description:

• Fix ansible remediation for postfix_network_listening_disabled rule

Rationale:

• Make sure that the /etc/postfix/main.cf configuration contain only one file with desired config

Fixes

• Fixes issue on applying ansible remediation when configuration contains inet_interfaces=all

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[github-actions]

This datastream diff is auto generated by the check Compare DS/Generate Diff

Click here to see the full diff

ansible remediation for rule 'xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled' differs.
--- xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
+++ xccdf_org.ssgproject.content_rule_postfix_network_listening_disabled
@@ -20,9 +20,34 @@
   tags:
     - always
 
-- name: Gather list of packages
-  ansible.builtin.package_facts:
-    manager: auto
+- name: Make changes to Postfix configuration file
+  block:
+
+  - name: Check for duplicate values
+    ansible.builtin.lineinfile:
+      path: /etc/postfix/main.cf
+      create: false
+      regexp: (?i)^inet_interfaces\s*=\s*.*$
+      state: absent
+    check_mode: true
+    changed_when: false
+    register: dupes
+
+  - name: Deduplicate values from /etc/postfix/main.cf
+    ansible.builtin.lineinfile:
+      path: /etc/postfix/main.cf
+      create: false
+      regexp: (?i)^inet_interfaces\s*=\s*.*$
+      state: absent
+    when: dupes.found is defined and dupes.found > 1
+
+  - name: Insert correct line to /etc/postfix/main.cf
+    ansible.builtin.lineinfile:
+      path: /etc/postfix/main.cf
+      create: false
+      regexp: (?i)^inet_interfaces\s*=\s*.*$
+      line: inet_interfaces = {{ var_postfix_inet_interfaces }}
+      state: present
   when:
   - '"kernel-core" in ansible_facts.packages'
   - '"postfix" in ansible_facts.packages'
@@ -39,29 +64,3 @@
   - no_reboot_needed
   - postfix_network_listening_disabled
   - restrict_strategy
-
-- name: Make changes to Postfix configuration file
-  ansible.builtin.lineinfile:
-    path: /etc/postfix/main.cf
-    create: false
-    regexp: (?i)^inet_interfaces\s*=\s.*
-    line: inet_interfaces = {{ var_postfix_inet_interfaces }}
-    state: present
-    insertafter: ^inet_interfaces\s*=\s.*
-  when:
-  - '"kernel-core" in ansible_facts.packages'
-  - '"postfix" in ansible_facts.packages'
-  - '"postfix" in ansible_facts.packages'
-  tags:
-  - CCE-82174-4
-  - NIST-800-53-CM-6(a)
-  - NIST-800-53-CM-7(a)
-  - NIST-800-53-CM-7(b)
-  - PCI-DSSv4-1.4
-  - PCI-DSSv4-1.4.2
-  - low_complexity
-  - low_disruption
-  - medium_severity
-  - no_reboot_needed
-  - postfix_network_listening_disabled
-  - restrict_strategy

[openshift-ci]

@teacup-on-rockingchair: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	27b19ee	link	true	/test e2e-aws-openshift-node-compliance

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[teacup-on-rockingchair]

@jan-cerny can you please take a look at this one

[teacup-on-rockingchair]

@jan-cerny can you please take a look at this one

Can anyone else from the @ComplianceAsCode/trusted-developers take a look at this, since obviously @jan-cerny is busy and it has been 2 months since this review is pending?

[Mab879]

@jan-cerny can you please take a look at this one

Can anyone else from the @ComplianceAsCode/trusted-developers take a look at this, since obviously @jan-cerny is busy and it has been 2 months since this review is pending?

Sorry for the delay. I assume we were waiting on @svet-se since they were assigned to it.