From 88ffe32137c841e4c1d63f9d7020aaa81026edc3 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Wed, 20 Dec 2023 21:58:49 +0200
Subject: [PATCH 01/14] Storing max_log_file under `rhel9cis_auditd` dict
 variable.

Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
---
 defaults/main.yml               | 11 ++---------
 tasks/section_4/cis_4.1.2.x.yml |  2 +-
 2 files changed, 3 insertions(+), 10 deletions(-)

diff --git a/defaults/main.yml b/defaults/main.yml
index 0bc0137..39d8691 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -525,26 +525,19 @@ rhel9cis_auditd:
     space_left_action: email
     action_mail_acct: root
     admin_space_left_action: halt
+    # The max_log_file parameter should be based on your sites policy.
+    max_log_file: 10
     max_log_file_action: keep_logs
 
 # The audit_back_log_limit value should never be below 8192
 rhel9cis_audit_back_log_limit: 8192
 
-# The max_log_file parameter should be based on your sites policy
-rhel9cis_max_log_file_size: 10
-
 ### 4.1.3.x audit template
 update_audit_template: false
 
 ## Advanced option found in auditd post
 rhel9cis_allow_auditd_uid_user_exclusions: false
 
-# This can be used to configure other keys in auditd.conf
-rhel9cis_auditd_extra_conf: {}
-# Example:
-# rhel9cis_auditd_extra_conf:
-#     admin_space_left: '10%'
-
 ## Preferred method of logging
 ## Whether rsyslog or journald preferred method for local logging
 ## Affects rsyslog cis 4.2.1.3 and journald cis 4.2.2.5
diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml
index b830b1f..f235493 100644
--- a/tasks/section_4/cis_4.1.2.x.yml
+++ b/tasks/section_4/cis_4.1.2.x.yml
@@ -4,7 +4,7 @@
   ansible.builtin.lineinfile:
       path: /etc/audit/auditd.conf
       regexp: "^max_log_file( |=)"
-      line: "max_log_file = {{ rhel9cis_max_log_file_size }}"
+      line: "max_log_file = {{ rhel9cis_auditd['max_log_file'] }}"
   notify: Restart auditd
   when:
       - rhel9cis_rule_4_1_2_1

From ca41b128cd895410dab925c4db7694ce24ef7907 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Wed, 20 Dec 2023 22:21:14 +0200
Subject: [PATCH 02/14] Defining some threshold for (audit_)space_left vars, as
 well as a bool which governs if extra params will be configured

Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
---
 defaults/main.yml               | 11 +++++++++++
 tasks/section_4/cis_4.1.2.x.yml |  1 +
 2 files changed, 12 insertions(+)

diff --git a/defaults/main.yml b/defaults/main.yml
index 39d8691..58c84d7 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -529,6 +529,17 @@ rhel9cis_auditd:
     max_log_file: 10
     max_log_file_action: keep_logs
 
+# This value governs if the below extra-vars for auditd should be used by the role
+rhel9cis_auditd_extra_conf_usage: false
+
+# This can be used to configure other keys in auditd.conf
+# Example:
+# rhel9cis_auditd_extra_conf:
+#     admin_space_left: '10%'
+rhel9cis_auditd_extra_conf:
+    admin_space_left: 50
+    space_left: 75
+
 # The audit_back_log_limit value should never be below 8192
 rhel9cis_audit_back_log_limit: 8192
 
diff --git a/tasks/section_4/cis_4.1.2.x.yml b/tasks/section_4/cis_4.1.2.x.yml
index f235493..8370114 100644
--- a/tasks/section_4/cis_4.1.2.x.yml
+++ b/tasks/section_4/cis_4.1.2.x.yml
@@ -58,6 +58,7 @@
   notify: Restart auditd
   when:
       - rhel9cis_auditd_extra_conf.keys() | length > 0
+      - rhel9cis_auditd_extra_conf_usage
   tags:
       - level2-server
       - level2-workstation

From 1e55d8600190706d9a42f54901030dfb4d4d1cfa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?=
 <14360383+sickbock@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:12:06 +0100
Subject: [PATCH 03/14] Update cis_1.3.x.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Correction to "when":  1_3_3

Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com>
---
 tasks/section_1/cis_1.3.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_1/cis_1.3.x.yml b/tasks/section_1/cis_1.3.x.yml
index 7a5e544..dda9c66 100644
--- a/tasks/section_1/cis_1.3.x.yml
+++ b/tasks/section_1/cis_1.3.x.yml
@@ -67,7 +67,7 @@
         /sbin/autrace p+i+n+u+g+s+b+acl+xattrs+sha512
       validate: aide -D --config %s
   when:
-      - rhel9cis_rule_1_3_2
+      - rhel9cis_rule_1_3_3
       - not system_is_ec2
   tags:
       - level1-server

From 4d749d988d87c6bbd281f2efe40fbd92ee3c291a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?=
 <14360383+sickbock@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:13:32 +0100
Subject: [PATCH 04/14] Update cis_1.8.x.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Corrected tag rule_1.8.10

Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com>
---
 tasks/section_1/cis_1.8.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_1/cis_1.8.x.yml b/tasks/section_1/cis_1.8.x.yml
index 20e56c4..e6f4b0c 100644
--- a/tasks/section_1/cis_1.8.x.yml
+++ b/tasks/section_1/cis_1.8.x.yml
@@ -261,4 +261,4 @@
       - level1-workstation
       - patch
       - gui
-      - rule_1.8.4
+      - rule_1.8.10

From 712b8b6ecd3b6dbd120934adfbdcdc0a287eba53 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?=
 <14360383+sickbock@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:15:11 +0100
Subject: [PATCH 05/14] Update cis_5.6.1.x.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Corrected tag: rule_5.6.1.1

Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com>
---
 tasks/section_5/cis_5.6.1.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
index f7b8136..d1f488f 100644
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@@ -12,7 +12,7 @@
       - level1-workstation
       - patch
       - password
-      - rule_5.5.1.1
+      - rule_5.6.1.1
 
 - name: "5.6.1.2 | PATCH | Ensure minimum days between password changes is 7 or more"
   ansible.builtin.lineinfile:

From 3b256ff8311f65c527c69334d65a7f7bf32e5ed9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?=
 <14360383+sickbock@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:16:20 +0100
Subject: [PATCH 06/14] Update cis_5.6.1.x.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Corrected tag: rule_5.6.1.5

Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com>
---
 tasks/section_5/cis_5.6.1.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_5/cis_5.6.1.x.yml b/tasks/section_5/cis_5.6.1.x.yml
index d1f488f..8d082bc 100644
--- a/tasks/section_5/cis_5.6.1.x.yml
+++ b/tasks/section_5/cis_5.6.1.x.yml
@@ -117,4 +117,4 @@
       - level1-server
       - level1-workstation
       - patch
-      - rule_5.5.1.5
+      - rule_5.6.1.5

From d6b44aac70db771be180954191a4809831480b2d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?=
 <14360383+sickbock@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:18:52 +0100
Subject: [PATCH 07/14] Update cis_6.1.x.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Corrected tags: rule_6.1.8 & rule_6.1.12

Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com>
---
 tasks/section_6/cis_6.1.x.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tasks/section_6/cis_6.1.x.yml b/tasks/section_6/cis_6.1.x.yml
index 4cc5cbd..7bce9c5 100644
--- a/tasks/section_6/cis_6.1.x.yml
+++ b/tasks/section_6/cis_6.1.x.yml
@@ -118,7 +118,7 @@
       - level1-workstation
       - patch
       - permissions
-      - rule_6.1.10
+      - rule_6.1.8
 
 - name: "6.1.9 | PATCH | Ensure no world writable files exist"
   block:
@@ -253,7 +253,7 @@
       - patch
       - stickybits
       - permissons
-      - rule_1.1.21
+      - rule_6.1.12
 
 - name: "6.1.13 | AUDIT | Audit SUID executables"
   block:

From e0491ccb8f7fd4e0b85335eeb4795790ea773172 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Joachim=20la=20Poutr=C3=A9?=
 <14360383+sickbock@users.noreply.github.com>
Date: Wed, 3 Jan 2024 11:20:08 +0100
Subject: [PATCH 08/14] Update cis_6.2.x.yml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Corrected tag: rule_6.2.3

Signed-off-by: Joachim la Poutré <14360383+sickbock@users.noreply.github.com>
---
 tasks/section_6/cis_6.2.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_6/cis_6.2.x.yml b/tasks/section_6/cis_6.2.x.yml
index 2f3141b..6ab91cd 100644
--- a/tasks/section_6/cis_6.2.x.yml
+++ b/tasks/section_6/cis_6.2.x.yml
@@ -73,7 +73,7 @@
       - audit
       - accounts
       - groups
-      - rule_6.2.2
+      - rule_6.2.3
 
 - name: "6.2.4 | AUDIT Ensure no duplicate UIDs exist"
   block:

From 87d2685f4ec2586c5792b500d9e0a4b0e8a2dfaf Mon Sep 17 00:00:00 2001
From: Joshua Hemmings <josh@hemmings.ch>
Date: Wed, 10 Jan 2024 16:11:27 +0100
Subject: [PATCH 09/14] Update cis_1.1.7.x.yml

Signed-off-by: Joshua Hemmings <josh@hemmings.ch>
---
 tasks/section_1/cis_1.1.7.x.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tasks/section_1/cis_1.1.7.x.yml b/tasks/section_1/cis_1.1.7.x.yml
index ee922b3..ef16988 100644
--- a/tasks/section_1/cis_1.1.7.x.yml
+++ b/tasks/section_1/cis_1.1.7.x.yml
@@ -32,7 +32,7 @@
       src: "{{ item.device }}"
       fstype: "{{ item.fstype }}"
       state: present
-      opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid,{% endif %}
+      opts: defaults,{% if rhel9cis_rule_1_1_7_2 %}nodev,{% endif %}{% if rhel9cis_rule_1_1_7_3 %}nosuid{% endif %}
   loop: "{{ ansible_facts.mounts }}"
   loop_control:
       label: "{{ item.device }}"

From aa8a60b4ee5e10aafdf45399b223298bca325db3 Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 22 Jan 2024 17:33:49 +0000
Subject: [PATCH 10/14] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v6.22.2)
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a79d4cb..25fbc9e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -43,7 +43,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.1
+  rev: v6.22.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

From e41a340fb0d9b1d97eee100d1c7b9017232f5454 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Tue, 30 Jan 2024 20:51:32 +0200
Subject: [PATCH 11/14] Ensuring "session optional pam_umask.so " is present in
 /etc/pam.d/{system-auth | password-auth}

---
 tasks/section_5/cis_5.6.x.yml | 31 +++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index e5565b4..dffc2d8 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -98,6 +98,37 @@
             regexp: '^USERGROUPS_ENAB'
             line: USERGROUPS_ENAB no
 
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth"
+        shell: |
+            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/system-auth
+        ignore_errors: true
+        no_log: true
+        check_mode: true
+        register: pam_umask_line_present_system
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth"
+        ansible.builtin.lineinfile:
+            path: "/etc/pam.d/system-auth"
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
+            line: 'session    optional    pam_umask.so'
+        when:
+            - pam_umask_line_present_system.rc | int != 0
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth"
+        shell: |
+            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/password-auth
+        ignore_errors: true
+        no_log: true
+        check_mode: true
+        register: pam_umask_line_present_password
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth"
+        ansible.builtin.lineinfile:
+            path: "/etc/pam.d/password-auth"
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
+            line: 'session    optional    pam_umask.so'
+        when:
+            - pam_umask_line_present_password.rc | int != 0
   when:
       - rhel9cis_rule_5_6_5
   tags:

From 47a00a1fd13dd294ad5e946a77cad69e9438fd47 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Tue, 30 Jan 2024 20:51:32 +0200
Subject: [PATCH 12/14] Solving conflicts after previous commit: Ensuring
 "session optional pam_umask.so" is present in /etc/pam.d/{system-auth |
 password-auth}

---
 tasks/section_5/cis_5.6.x.yml | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index a2c0219..dffc2d8 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -98,11 +98,37 @@
             regexp: '^USERGROUPS_ENAB'
             line: USERGROUPS_ENAB no
 
-      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth"
+        shell: |
+            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/system-auth
+        ignore_errors: true
+        no_log: true
+        check_mode: true
+        register: pam_umask_line_present_system
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth"
         ansible.builtin.lineinfile:
-            path: /etc/pam.d/system-auth
-            line: 'session     required            pam_umask.so'
-            insertafter: EOF
+            path: "/etc/pam.d/system-auth"
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
+            line: 'session    optional    pam_umask.so'
+        when:
+            - pam_umask_line_present_system.rc | int != 0
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth"
+        shell: |
+            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/password-auth
+        ignore_errors: true
+        no_log: true
+        check_mode: true
+        register: pam_umask_line_present_password
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth"
+        ansible.builtin.lineinfile:
+            path: "/etc/pam.d/password-auth"
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
+            line: 'session    optional    pam_umask.so'
+        when:
+            - pam_umask_line_present_password.rc | int != 0
   when:
       - rhel9cis_rule_5_6_5
   tags:

From 05ec8671665c0405a545f4480e17bdfebd5793bd Mon Sep 17 00:00:00 2001
From: "pre-commit-ci[bot]"
 <66853113+pre-commit-ci[bot]@users.noreply.github.com>
Date: Mon, 22 Jan 2024 17:33:49 +0000
Subject: [PATCH 13/14] [pre-commit.ci] pre-commit autoupdate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

updates:
- [github.com/ansible-community/ansible-lint: v6.22.1 → v6.22.2](https://github.com/ansible-community/ansible-lint/compare/v6.22.1...v6.22.2)

Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
---
 .pre-commit-config.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index a79d4cb..25fbc9e 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -43,7 +43,7 @@ repos:
     args: ['--baseline-path', '.config/.gitleaks-report.json']
 
 - repo: https://github.com/ansible-community/ansible-lint
-  rev: v6.22.1
+  rev: v6.22.2
   hooks:
   - id: ansible-lint
     name: Ansible-lint

From 549d51074762e40769e841689c8c39b0f33d4ce2 Mon Sep 17 00:00:00 2001
From: Ionut Pruteanu <ionut.pruteanu@siemens.com>
Date: Tue, 30 Jan 2024 20:51:32 +0200
Subject: [PATCH 14/14] Solving conflicts after previous commit: Ensuring
 "session optional pam_umask.so" is present in /etc/pam.d/{system-auth |
 password-auth}

Signed-off-by: Ionut Pruteanu <ionut.pruteanu@siemens.com>
---
 tasks/section_5/cis_5.6.x.yml | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index a2c0219..dffc2d8 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -98,11 +98,37 @@
             regexp: '^USERGROUPS_ENAB'
             line: USERGROUPS_ENAB no
 
-      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth"
+        shell: |
+            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/system-auth
+        ignore_errors: true
+        no_log: true
+        check_mode: true
+        register: pam_umask_line_present_system
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth"
         ansible.builtin.lineinfile:
-            path: /etc/pam.d/system-auth
-            line: 'session     required            pam_umask.so'
-            insertafter: EOF
+            path: "/etc/pam.d/system-auth"
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
+            line: 'session    optional    pam_umask.so'
+        when:
+            - pam_umask_line_present_system.rc | int != 0
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth"
+        shell: |
+            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/password-auth
+        ignore_errors: true
+        no_log: true
+        check_mode: true
+        register: pam_umask_line_present_password
+
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth"
+        ansible.builtin.lineinfile:
+            path: "/etc/pam.d/password-auth"
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
+            line: 'session    optional    pam_umask.so'
+        when:
+            - pam_umask_line_present_password.rc | int != 0
   when:
       - rhel9cis_rule_5_6_5
   tags: