ansible-lockdown · DianaMariaDDM · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023 · Dec 6, 2023
diff --git a/tasks/section_4/cis_4.6.x.yml b/tasks/section_4/cis_4.6.x.yml
@@ -89,17 +89,22 @@
 
 - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
   block:
-      - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
+      - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs and /etc/profile"
         ansible.builtin.lineinfile:
             path: "{{ item.path }}"
-            regexp: '(?i)(umask\s*)'
+            regexp: '(?i)(umask\s*\d\d\d)'
-            regexp: '(?i)(umask\s*\d\d\d)'
+            regexp: '(?i)^\s*umask\s*\d{3,4}'
-            regexp: '(?i)(umask\s*\d\d\d)'
+            regexp: '(?i)^\s*umask\s*\d{3,4}'
             line: '{{ item.line }} 027'
         with_items:
-            - { path: '/etc/bashrc', line: 'umask' }
             - { path: '/etc/profile', line: 'umask' }
             - { path: '/etc/login.defs', line: 'UMASK' }
 
-      - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
+      - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc" 
+        ansible.builtin.replace:
+            path: /etc/bashrc
+            regexp: '\s+umask\s*\d\d\d'
-            regexp: '\s+umask\s*\d\d\d'
+            regexp: '^\s*umask\s*\d{3,4}'
-            regexp: '\s+umask\s*\d\d\d'
+            regexp: '^\s*umask\s*\d{3,4}'
+            replace: '\numask 027'
-            replace: '\numask 027'
+            replace: 'umask 027'
-            replace: '\numask 027'
+            replace: 'umask 027'
+
+      - name: "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Editing USERGROUPS_ENAB"
         ansible.builtin.lineinfile:
             path: /etc/login.defs
             regexp: '^USERGROUPS_ENAB'