Task 1.4.2 Ensure authentication required for single user mode

[msachikanta]

Describe the Issue The following tasks are getting updated incorrectly as compared to CIS Workbench Documentation:

- name: "1.4.2 | PATCH | Ensure authentication required for single user mode | Emergency service"
  lineinfile:
      dest: /usr/lib/systemd/system/emergency.service
      regexp: '/sbin/sulogin'
      line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'

- name: "1.4.2 | PATCH | Ensure authentication required for single user mode | Rescue service"
  lineinfile:
      dest: /usr/lib/systemd/system/rescue.service
      regexp: '/sbin/sulogin'
      line: 'ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default'

As per CIS Workbench (https://workbench.cisecurity.org/sections/839924/recommendations/1379214):

Remediation Procedure

Edit /usr/lib/systemd/system/rescue.service and /usr/lib/systemd/system/emergency.service and set ExecStart to use /sbin/sulogin or /usr/sbin/sulogin:

ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"

Expected Behavior It suppose to update the rescue.service and emergency.service files with following line:

ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"

Actual Behavior It is updating the rescue.service and emergency.service files with following line:

ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default

Environment (please complete the following information):

• branch: Tag 1.2.1

Additional Notes If this change can be implemented, that will help us with fixing our Chef Inspec issues.

Possible Solution In order to fix the issue, in task 1.4.2, the following line:

ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default

can be replaced with:

ExecStart=-/bin/sh -c "/sbin/sulogin; /usr/bin/systemctl --fail --no-block default"