Rule 5.4.2 makes changes that cannot pass the test for the rule itself

[kdebisschop]

Describe the Issue
Rule 5.4.2 looks for a pattern in /etc/pam.d/common-auth and changes a line to meet a regular expression. But the line it is changed to is not consistent with the line it is search for, so it will result in multiple lines addressing the same concern.

The test looks for regexp

^auth\s+required pam_tally2 .*onerr=fail.*

But it inserts:

auth required pam_tally2.so {{ ubtu20cis_pamtally2_login_opts }}

Since the insert "pam_tally2.so[:space:]" can never match the search "pam_tally2[:space:]", the PATCH will apply every time the rule is run.

Expected Behavior
If a matching line is found, it is updated to the specified content rather than inserting a new line

Actual Behavior
A new line gets inserted which does not match the test expression (in worst case, this new line will get inserted on every test run).

Control(s) Affected
5.4.2

Environment (please complete the following information):

• Ansible Version: 2.14.4
• Host Python Version: 3.8.10
• Ansible Server Python Version: 3.11.2
• Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
Make regex match the inserted line.

PR coming.

[MrSteve81]

This has been added to devel branch from PR [#83] Please feel free to test it out and get back to us.