Skip to content

Commit

Permalink
Merge pull request #448 from konstruktoid/cisaumask
Browse files Browse the repository at this point in the history 
ensure TMOUT and shell umask settings
  • Loading branch information
@konstruktoid
konstruktoid authored Dec 14, 2023
2 parents c5e675c + 516206d commit 25cfe5b
Showing 1 changed file with 121 additions and 27 deletions.
148 changes: 121 additions & 27 deletions tasks/umask.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,17 @@
- CIS-UBUNTU2004-5.5.4
- M1022

- name: Ensure that a umask line appears in rc
become: true
ansible.builtin.lineinfile:
line: umask {{ umask_value }}
mode: "0644"
path: /etc/init.d/rc
regexp: umask(\s+.*)
when: initdrc.stat.exists
tags:
- umask

- name: Stat bashrc
become: true
ansible.builtin.stat:
Expand Down Expand Up @@ -49,6 +60,55 @@
- CIS-UBUNTU2004-5.5.4
- M1022

- name: Ensure that a umask line appears in bashrc
become: true
ansible.builtin.lineinfile:
line: umask {{ umask_value }}
mode: "0644"
path: /etc/bashrc
regexp: umask(\s+.*)
when: bashrc.stat.exists
tags:
- umask

- name: Stat bash.bashrc
become: true
ansible.builtin.stat:
path: /etc/bash.bashrc
register: bash_bashrc
tags:
- bash
- umask
- CCE-81036-6
- CIS-UBUNTU2004-5.5.4
- M1022

- name: Set default bash.bashrc umask
become: true
ansible.builtin.replace:
regexp: umask(\s+.*)
replace: umask {{ umask_value }}
dest: /etc/bash.bashrc
mode: "0644"
when: bash_bashrc.stat.exists
tags:
- bash
- umask
- CCE-81036-6
- CIS-UBUNTU2004-5.5.4
- M1022

- name: Ensure that a umask line appears in bash.bashrc
become: true
ansible.builtin.lineinfile:
line: umask {{ umask_value }}
mode: "0644"
path: /etc/bash.bashrc
regexp: umask(\s+.*)
when: bash_bashrc.stat.exists
tags:
- umask

- name: Stat csh.cshrc
become: true
ansible.builtin.stat:
Expand All @@ -74,6 +134,17 @@
- CIS-UBUNTU2004-5.5.4
- M1022

- name: Ensure that a umask line appears in csh.cshrc
become: true
ansible.builtin.lineinfile:
line: umask {{ umask_value }}
mode: "0644"
path: /etc/csh.cshrc
regexp: umask(\s+.*)
when: cshrc.stat.exists
tags:
- umask

- name: Set default profile umask
become: true
ansible.builtin.replace:
Expand All @@ -86,40 +157,63 @@
- CIS-UBUNTU2004-5.5.4
- M1022

- name: Configure readonly TMOUT
- name: Ensure that a umask line appears in profile
become: true
ansible.builtin.lineinfile:
line: readonly TMOUT
dest: /etc/profile
line: umask {{ umask_value }}
mode: "0644"
state: present
create: false
insertbefore: ^export
path: /etc/profile
regexp: umask(\s+.*)
tags:
- tmout
- umask

- name: Find all files in /etc/profile.d
ansible.builtin.find:
paths:
- /etc/profile.d
patterns:
- "*"
register: find_profiled_result

- name: Set TMOUT
- name: Set default profile umask for each file in /etc/profile.d
become: true
ansible.builtin.lineinfile:
line: TMOUT=600
dest: /etc/profile
ansible.builtin.replace:
regexp: umask(\s+.*)
replace: umask {{ umask_value }}
dest: "{{ item.path }}"
mode: "0644"
state: present
create: false
insertbefore: ^readonly TMOUT
loop: "{{ find_profiled_result.files }}"
loop_control:
label: "{{ item.path }}"
tags:
- tmout
- CIS-UBUNTU2004-5.5.5
- UBTU-20-010013
- umask

- name: Export TMOUT
- name: Set TMOUT in /etc/profile
become: true
ansible.builtin.lineinfile:
line: export TMOUT
dest: /etc/profile
mode: "0644"
state: present
create: false
insertafter: ^readonly TMOUT
tags:
- tmout
block:
- name: Configure readonly TMOUT
ansible.builtin.lineinfile:
line: "readonly TMOUT"
dest: /etc/profile
mode: "0644"
state: present
create: false
insertbefore: "^export"

- name: Set TMOUT
ansible.builtin.lineinfile:
line: "TMOUT=900"
dest: /etc/profile
mode: "0644"
state: present
create: false
insertbefore: "^readonly TMOUT"

- name: Export TMOUT
ansible.builtin.lineinfile:
line: "export TMOUT"
dest: /etc/profile
mode: "0644"
state: present
create: false
insertafter: "^readonly TMOUT"

0 comments on commit 25cfe5b

Please sign in to comment.