From dc95662250817f1fb6fef05a9361ca4cc0094cc0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bart=C5=82omiej=20Sawicki?= Date: Mon, 7 Oct 2019 22:53:34 +0200 Subject: [PATCH] fix 5.4.4 to be valid with current CIS (#46) --- tasks/section5.yml | 39 ++++++++++++++++++++++----------------- 1 file changed, 22 insertions(+), 17 deletions(-) diff --git a/tasks/section5.yml b/tasks/section5.yml index 0020c25..25beb91 100644 --- a/tasks/section5.yml +++ b/tasks/section5.yml @@ -580,24 +580,29 @@ - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive" block: + - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bash.bashrc" + lineinfile: + state: present + dest: /etc/bash.bashrc + create: true + regexp: '^umask ' + line: 'umask 027' - - name: "SCORED | 5.4.4 | PATCH | Check if bashrc exists" - stat: - path: "/etc/bashrc" - register: bashrc_present - - - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/bashrc" - replace: - path: /etc/bashrc - regexp: '(^\s+umask) 002' - replace: '\1 027' - when: bashrc_present.stat.exists - - - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" - replace: - path: /etc/profile - regexp: '(^\s+umask) 002' - replace: '\1 027' + - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile" + lineinfile: + state: present + dest: /etc/profile + create: true + regexp: '^umask ' + line: 'umask 027' + + - name: "SCORED | 5.4.4 | PATCH | Ensure default user umask is 027 or more restrictive - /etc/profile.d/99-umask.sh" + lineinfile: + state: present + dest: /etc/profile.d/99-umask.sh + create: true + regexp: '^umask ' + line: 'umask 027' when: - ubuntu1804cis_rule_5_4_4 tags: