From 249135713612bdfd95465488ad4fd235704b2896 Mon Sep 17 00:00:00 2001
From: Mark Bolwell <mark.bollyuk@gmail.com>
Date: Fri, 14 Oct 2022 12:09:30 +0100
Subject: [PATCH] Added login.defs 5.6.5

Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
---
 tasks/section_5/cis_5.6.x.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/tasks/section_5/cis_5.6.x.yml b/tasks/section_5/cis_5.6.x.yml
index 474a378..4064d74 100644
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@@ -87,6 +87,15 @@
 
 - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive"
   block:
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings"
+        replace:
+            path: /etc/login.defs
+            regexp: "{{ item.regexp }}"
+            replace: "{{ item.replace }}"
+        loop:
+        - { regexp: '(UMASK\s+)0[012][0-6]', replace: '\1 027' }
+        - { regexp: '(USERGROUPS_ENAB\s+)yes', replace: '\1 no' }
+
       - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc"
         replace:
             path: /etc/bashrc