From 2511f5af64c144298a1296dd6566d46e04737bea Mon Sep 17 00:00:00 2001 From: Mark Bolwell Date: Fri, 23 Feb 2024 14:44:02 +0000 Subject: [PATCH] 4.6.5 related to #27 thanks to @DianaMariaDDM Signed-off-by: Mark Bolwell --- tasks/section_4/cis_4.6.x.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml index 9e6e32a..67a4046 100644 --- a/tasks/section_4/cis_4.6.x.yml +++ b/tasks/section_4/cis_4.6.x.yml @@ -90,14 +90,14 @@ - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" block: - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings" - ansible.builtin.lineinfile: - path: "{{ item.path }}" - regexp: '(?i)(umask\s*)' - line: '{{ item.line }} 027' - with_items: - - { path: '/etc/bashrc', line: 'umask' } - - { path: '/etc/profile', line: 'umask' } - - { path: '/etc/login.defs', line: 'UMASK' } + ansible.builtin.replace: + path: "{{ item }}" + regexp: ^(?i)(\s*umask)\s+(?!\d*[2,7]7)\d{3,4} + replace: '\1 027' + loop: + - /etc/bashrc + - /etc/profile + - /etc/login.defs - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" ansible.builtin.lineinfile: