Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update cis_4.6.x.yml #32

Closed
wants to merge 1 commit into from
Closed

Update cis_4.6.x.yml #32

wants to merge 1 commit into from

Conversation

mfortin
Copy link

@mfortin mfortin commented Jan 22, 2024

Avoid capturing commented out lines.
Removed parenthesis as the capture group is not used, so those were not required.

Overall Review of Changes:
The regex captures lines that are commented out and ansible lineinfile only changes last occurence. Made the regex explicitely look for a line that is not commented out.

Issue Fixes:
Control 4.6.5 is failing because the line being updated in /etc/login.defs is

# If HOME_MODE is not set, the value of UMASK is used to create the mode.

instead of

UMASK 022

Enhancements:
Please list any enhancements/features that are not open issue tickets

How has this been tested?:
Manually tested on a local instance.

TASK [AMAZON2023-CIS : 4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/login.defs pam_umask settings] ***
changed: [10.0.0.240] => (item={'path': '/etc/bashrc', 'line': 'umask'})
changed: [10.0.0.240] => (item={'path': '/etc/profile', 'line': 'umask'})
changed: [10.0.0.240] => (item={'path': '/etc/login.defs', 'line': 'UMASK'})

TASK [AMAZON2023-CIS : 4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Set umask for /etc/bashrc] ***
changed: [10.0.0.240]

And then, logging in on the instance:

$ cat /etc/login.defs | grep -i umask
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
UMASK 027
# If HOME_MODE is not set, the value of UMASK is used to create the mode.

Before the change:

$ cat /etc/login.defs | grep -i umask
# Default initial "umask" value used by login(1) on non-PAM enabled systems.
# Default "umask" value for pam_umask(8) on PAM enabled systems.
# UMASK is also used by useradd(8) and newusers(8) to set the mode for new
UMASK		022
UMASK 027

@mfortin
Update cis_4.6.x.yml
5c57162 
Avoid capturing commented out lines.
Removed parenthesis as the capture group is not used, so those were not required.

Signed-off-by: Math Fortin <[email protected]>
github-actions[bot]
github-actions bot reviewed Jan 22, 2024
View reviewed changes
Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Congrats on opening your first pull request and thank you for taking the time to help improve Ansible-Lockdown!
Please join in the conversation happening on the Discord Server as well.

@mfortin
Copy link
Author

mfortin commented Jan 25, 2024

duplicate of #27

@mfortin mfortin closed this Jan 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mfortin