diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index 590123e..8fba898 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -98,11 +98,30 @@
             regexp: '^USERGROUPS_ENAB'
             line: USERGROUPS_ENAB no
 
-      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
-        ansible.builtin.lineinfile:
-            path: /etc/pam.d/system-auth
-            line: 'session     required            pam_umask.so'
-            insertafter: EOF
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd"
+        community.general.pamd:
+            name: "{{ item }}"
+            type: session
+            control: required
+            module_path: pam_limits.so
+            new_type: session
+            new_module_path: pam_umask.so
+            new_control: optional
+            state: before
+        register: rhel9cis_pamd_umask_added
+        loop:
+            - system-auth
+            - password-auth
+
+      - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required"
+        ansible.builtin.replace:
+            path: "/etc/pam.d/{{ item }}"
+            regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$
+            replace: \1optional\3
+        loop:
+            - system-auth
+            - password-auth
+
   when:
       - rhel9cis_rule_5_6_5
   tags: