From 984c685aed18f8546e2e8f8fab0e248febc3dcb9 Mon Sep 17 00:00:00 2001
From: Vojtech Polasek <vpolasek@redhat.com>
Date: Mon, 20 Jan 2025 15:39:20 +0100
Subject: [PATCH] update ansible remediation

---
 .../ansible/shared.yml                        | 28 +++++++++++++++++--
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
index 6fdd0d47ebe..81cadaf47d6 100644
--- a/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-physical/require_singleuser_auth/ansible/shared.yml
@@ -5,7 +5,7 @@
 # disruption = low
 
 {{% if 'rhel' not in product and product != 'fedora' %}}
-- name: Require single user mode password
+- name: "{{{ rule_title }}} - Require single user mode password"
   lineinfile:
       create: yes
       dest: /usr/lib/systemd/system/rescue.service
@@ -16,10 +16,32 @@
       line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"'
       {{%- endif %}}
 {{% else %}}
+- name: "{{{ rule_title }}} - find files which already override Execstart of rescue.service"
+  ansible.builtin.find:
+    paths: "/etc/systemd/system/rescue.service.d"
+    patterns: "*.conf"
+    contains: '^\s*ExecStart=.*$'
+  register: rescue_service_overrides_found
+
+- name: "{{{ rule_title }}} - set files containing ExecStart overrides as target"
+  ansible.builtin.set_fact:
+    rescue_service_remediation_target_file: "{{ rescue_service_overrides_found.files | map(attribute='path') | list }}"
+  when: rescue_service_overrides_found.matched is defined and rescue_service_overrides_found.matched > 0
+
+- name: "{{{ rule_title }}} - set default target for rescue.service override"
+  ansible.builtin.set_fact:
+    rescue_service_remediation_target_file:
+      - "/etc/systemd/system/rescue.service.d/10-oscap.conf"
+  when: rescue_service_overrides_found.matched is defined and rescue_service_overrides_found.matched == 0
+
 - name: "{{{ rule_title }}} - Require emergency user mode password"
   community.general.ini_file:
-    path: "/etc/systemd/system/rescue.service.d/10-oscap.conf"
+    path: "{{ item }}"
     section: "Service"
     option: "ExecStart"
-    value: "-/usr/lib/systemd/systemd-sulogin-shell rescue"
+    values:
+      - ""
+      - "-/usr/lib/systemd/systemd-sulogin-shell rescue"
+  loop: "{{ rescue_service_remediation_target_file }}"
+
 {{% endif %}}