ansible-lockdown/RHEL9-CIS
3
0
Fork 1
mirror of https://github.com/ansible-lockdown/RHEL9-CIS.git synced 2025-12-27 15:33:06 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Solving conflicts after previous commit:

Browse source 
Ensuring "session optional pam_umask.so" is present in /etc/pam.d/{system-auth | password-auth}
This commit is contained in:
Ionut Pruteanu 2024-01-30 20:51:32 +02:00
parent 3fe681c0d2
commit 47a00a1fd1
No known key found for this signature in database
GPG key ID: 95B7D43B702B3569
1 changed files with 30 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

34
tasks/section_5/cis_5.6.x.yml
View file

@ -98,11 +98,37 @@
regexp: '^USERGROUPS_ENAB' regexp: '^USERGROUPS_ENAB'
line: USERGROUPS_ENAB no line: USERGROUPS_ENAB no
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth" - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth"
shell: |
grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/system-auth
ignore_errors: true
no_log: true
check_mode: true
register: pam_umask_line_present_system
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
path: /etc/pam.d/system-auth path: "/etc/pam.d/system-auth"
line: 'session required pam_umask.so' regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
insertafter: EOF line: 'session optional pam_umask.so'
when:
- pam_umask_line_present_system.rc | int != 0
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth"
shell: |
grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/password-auth
ignore_errors: true
no_log: true
check_mode: true
register: pam_umask_line_present_password
- name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth"
ansible.builtin.lineinfile:
path: "/etc/pam.d/password-auth"
regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
line: 'session optional pam_umask.so'
when:
- pam_umask_line_present_password.rc | int != 0
when: when:
- rhel9cis_rule_5_6_5 - rhel9cis_rule_5_6_5
tags: tags: