Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

5.4.4 | Ensure default user umask is 027 or more restrictive task assumes umask already present in bash.rc #27

Closed
jrbeilke opened this issue Apr 9, 2021 · 1 comment · Fixed by #34
Closed

5.4.4 | Ensure default user umask is 027 or more restrictive task assumes umask already present in bash.rc #27

jrbeilke opened this issue Apr 9, 2021 · 1 comment · Fixed by #34

Comments

@jrbeilke
Copy link

jrbeilke commented Apr 9, 2021

The task for this CIS criteria uses replace assuming that there is already a umask setting in /etc/bash.bashrc and /etc/profile, but does not add the umask setting if it's missing (seems to be missing in bash.rc on a fresh Ubuntu 18.04 install) ie.

- name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive"
  replace:
      path: "{{ item }}"
      regexp: '(^\s+umask) 002'
      replace: '\1 027'
  with_items:
      - /etc/bash.bashrc
      - /etc/profile

An update is needed to ensure that the proper umask setting is added to these files if one does not already exist.
@jrbeilke
Copy link
Author

jrbeilke commented Apr 9, 2021

FYI here is an example from the GSA how they handle this criteria in their role using lineinfile:
https://github.com/GSA/ansible-os-ubuntu18/blob/master/tasks/section5.yml#L731

    - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc"
      lineinfile:
        state: present
        dest: /etc/bash.bashrc
        create: true
        regexp: '^umask '
        line: 'umask 027'

georgenalen added a commit that referenced this issue Apr 9, 2021
@georgenalen
fix for issue #27
1cc59b7 
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
This was referenced Apr 12, 2021
Merged
Merged
@georgenalen georgenalen linked a pull request Apr 14, 2021 that will close this issue
Issue Fixes and Layout Change #34
Merged
uk-bolly pushed a commit that referenced this issue Sep 20, 2023
@georgenalen @uk-bolly
fix for issue #27
93c6d04 
Signed-off-by: George Nalen <georgen@mindpointgroup.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Issue Fixes and Layout Change ansible-lockdown/UBUNTU18-CIS
2 participants
@jrbeilke @georgenalen