Merge pull request #59 from ansible-lockdown/issue_57

Issue 57
ansible-lockdown · Jul 13, 2022 · a35139d · a35139d
2 parents 79891b0 + b6fbb19
commit a35139d
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 3 deletions.
diff --git a/.DS_Store b/.DS_Store
diff --git a/defaults/main.yml b/defaults/main.yml
@@ -612,6 +612,11 @@ ubtu20cis_pass:
     warn_age: 7
     inactive: 30
 
+# Control 5.5.4
+# ubtu120cis_bash_umask is the umask to set in the /etc/bash.bashrc and /etc/profile. 
+# The value needs to be 027 or more restrictive to comply with CIS standards
+ubtu20cis_bash_umask: '027'
+
 # Control 5.5.5
 # Session timeout setting file (TMOUT setting can be set in multiple files)
 # Timeout value is in seconds. Set value to 900 seconds or less

diff --git a/tasks/section_5/cis_5.5.x.yml b/tasks/section_5/cis_5.5.x.yml
@@ -213,10 +213,10 @@
         when: ubtu20cis_5_5_4_umask_pam_status.stdout | length == 0
 
       - name: "AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive"
-        replace:
+        lineinfile:
             path: "{{ item }}"
-            regexp: '(?i)^((?!#)umask)\s+0[0,2,5][0,2,5]'
-            replace: '\1 027'
+            regexp: '^umask '
+            line: "umask {{ ubtu20cis_bash_umask }}"
         with_items:
             - /etc/bash.bashrc
             - /etc/profile