Issue with Task 4.4.3.4.1 Ensure pam_unix does not include nullok

[msachikanta]

Describe the Issue Noticed regex is not updating the values properly in /etc/pam.d/password-auth and /etc/pam.d/system-auth.

ansible.builtin.replace section of the Task 4.4.3.4.1 seems not to be working as expected.

- name: "4.4.3.4.1 | PATCH | Ensure pam_unix does not include nullok | pam_files"
  when:
      - discovered_pam_nullok.stdout | length > 0
      - not rhel8cis_allow_authselect_updates
  ansible.builtin.replace:
      path: "/etc/pam.d/{{ item }}-auth"
      regexp: ^(\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so)(.*)nullok(.*$)
      replace: \1\2\3
  loop:
      - password
      - system

I could see its updating the pam files as below:

password    sufficient                                   pam_unix.sosufficient sha512 shadow

word sufficient is getting replaced with nullok, which should not be happening.

Expected Behavior After updating the pam files, they should have following line:

password    sufficient                                   pam_unix.so sha512 shadow

Actual Behavior After updating the pam files, the line is appearing as below:

password    sufficient                                   pam_unix.sosufficient sha512 shadow

Environment (please complete the following information):

• branch being used: [e.g. devel]

Additional Notes Updating the regex can fix the issue.

Possible Solution Here is my proposed solution. I have tested the fix, and it is working fine for me.

 ansible.builtin.replace:
      path: "/etc/pam.d/{{ item }}-auth"
      regexp: (^\s*password\s+(requisite|required|sufficient)\s+pam_unix\.so\s+.*)(nullok)(\s*.*)$
      replace: \1\4