March 24 to devel (#186)

* Issue #170, PR #181 thanks to @ipruteanu-sie * issue #182, PR #183 thansk to @ipruteanu-sie * PR #180 thanks to @ipruteanu-sie and @raabf * Addressed PR #165 thanks to @ipruteanu-sie * PT #184 addressed thansk to @ipruteanu-sie * updated credits * typo and ssh allow_deny comments * enable OS check --------- Signed-off-by: Mark Bolwell <mark.bollyuk@gmail.com>
2024-03-06 16:52:38 +00:00 · 2024-03-06 16:52:38 +00:00 · 7d7b6132f4
commit 7d7b6132f4
parent 0f58436212
11 changed files with 58 additions and 57 deletions
--- a/tasks/section_5/cis_5.2.x.yml
+++ b/tasks/section_5/cis_5.2.x.yml
@ -1,6 +1,6 @@
 ---

- name: "5.2.1 | Ensure permissions on /etc/ssh/sshd_config are configured"
+- name: "5.2.1 | PATCH | Ensure permissions on /etc/ssh/sshd_config are configured"
  ansible.builtin.file:
      path: "/etc/ssh/sshd_config"
      owner: root
--- a/tasks/section_5/cis_5.6.x.yml
+++ b/tasks/section_5/cis_5.6.x.yml
@ -2,7 +2,7 @@

 - name: "5.6.2 | PATCH | Ensure system accounts are secured"
  block:
-      - name: "5.6.2 | Ensure system accounts are secured | Set nologin"
+      - name: "5.6.2 | PATCH | Ensure system accounts are secured | Set nologin"
        ansible.builtin.user:
            name: "{{ item.id }}"
            shell: /usr/sbin/nologin
@ -98,11 +98,30 @@
            regexp: '^USERGROUPS_ENAB'
            line: USERGROUPS_ENAB no

-      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask sessions /etc/pam.d/system-auth"
-        ansible.builtin.lineinfile:
-            path: /etc/pam.d/system-auth
-            line: 'session     required            pam_umask.so'
-            insertafter: EOF
+      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Add umask sessions for pamd"
+        community.general.pamd:
+            name: "{{ item }}"
+            type: session
+            control: required
+            module_path: pam_limits.so
+            new_type: session
+            new_module_path: pam_umask.so
+            new_control: optional
+            state: before
+        register: rhel9cis_pamd_umask_added
+        loop:
+            - system-auth
+            - password-auth
+
+      - name: "5.6.5 | AUDIT | Ensure default user umask is 027 or more restrictive | update umask settings if required"
+        ansible.builtin.replace:
+            path: "/etc/pam.d/{{ item }}"
+            regexp: ^(session\s+)(requisite|required)(\s+pam_umask.so)$
+            replace: \1optional\3
+        loop:
+            - system-auth
+            - password-auth
+
  when:
      - rhel9cis_rule_5_6_5
  tags: