Rule 4.6.5 needs some fixes in order to be CIS compliant

[DianaMariaDDM]

Describe the Issue The rule gets a "FAIL" result from CIS.

Expected Behavior The task from this rule needs to make sure that the following files: /etc/login.defs, /etc/profile and /etc/bashrc contain UMASK 027 (for /etc/login.defs ) or umask 027 (for /etc/profile and /etc/bashrc).

Actual Behavior Firstly, the regexp is not quite good and it does not edit the /etc/login.defs accordingly, adding a new line with UMASK 027 instead of editing the existing one.

Secondly, the way the task is written, it does not edit the /etc/bashrc file in a proper manner, only modifying one of the umask lines, not all of them.

Control(s) Affected 4.6.5 Ensure default user umask is 027 or more restrictive

Environment (please complete the following information):

• branch being used: [e.g. devel]

Additional Notes Anything additional goes here

Possible Solution First part of the solution would be to modify the regexp so that it will match the UMASK line in the /etc/login.defs file. The second part would be to remove the /etc/bashrc file from being edited with the ansible.builtin.lineinfile module, and create another task that edits it with ansible.builtin.replace module (this would be the only manner in which we can ensure that all of the matching lines from this file will get edited properly).

By applying these modifications the files are edited according to CIS regulations and the rule passes!

This solution will be provided in a PR.

[uk-bolly]

hi @DianaMariaDDM

I noticed that you have closed the associated PR for this issue, i have however included a fix in to the Feb24 updates that have been applied. I'd like to get a new release out for this repo asap, Can you confirm that this has been addressed?

Many thanks

uk-bolly

[DianaMariaDDM]

Hello,

Yes this has been addressed!