Merge branch 'siemens/feat/b5_6_5_pam-d_files_session' into 'siemens/rhel9/devel'

Solving conflicts after previous commit: See merge request infosec-pss-gov/security-crafter-baseline-automations/ansible-lockdown/rhel9-cis!19
2025-12-27 15:33:06 +00:00 · 2024-02-01 13:32:15 +01:00 · 2024-02-01 13:32:15 +01:00 · ead88e8794
commit ead88e8794
parent 9c1a473400 594e52a21d
1 changed files with 30 additions and 4 deletions
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -98,11 +98,37 @@
            regexp: '^USERGROUPS_ENAB'
            line: USERGROUPS_ENAB no
-      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in system-auth"
        shell: |
            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/system-auth
        ignore_errors: true
        no_log: true
        check_mode: true
        register: pam_umask_line_present_system
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in system-auth"
        ansible.builtin.lineinfile:
-            path: /etc/pam.d/system-auth
+            path: "/etc/pam.d/system-auth"
-            line: 'session     required            pam_umask.so'
+            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
-            insertafter: EOF
+            line: 'session    optional    pam_umask.so'
        when:
            - pam_umask_line_present_system.rc | int != 0
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Check umask.so in password-auth"
        shell: |
            grep -E -q "^session\s*(optional|requisite|required)\s*pam_umask.so$" /etc/pam.d/password-auth
        ignore_errors: true
        no_log: true
        check_mode: true
        register: pam_umask_line_present_password
      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | If needed, load session umask.so in password-auth"
        ansible.builtin.lineinfile:
            path: "/etc/pam.d/password-auth"
            regexp: '^session\s*(optional|requisite|required)\s*pam_umask.so$'
            line: 'session    optional    pam_umask.so'
        when:
            - pam_umask_line_present_password.rc | int != 0
  when:
      - rhel9cis_rule_5_6_5
  tags: