UBUNTU20-CIS icon indicating copy to clipboard operation
UBUNTU20-CIS copied to clipboard

Published 20 hours ago verified publisher icon ansible-lockdown

CIS 5.5.4 uses replace instead of lineinfile for some tasks and misses applying umask in some files

Open jrbeilke opened this issue 2 years ago • 0 comments

Describe the Issue The tasks for CIS 5.5.4 are inconsistent (some use lineinfile and some use replace which results in some files not having the proper umask added if a line is not already present in the file.

Expected Behavior CIS 5.5.4 tasks should be consistent and ensure the necessary umask settings are added/updated to all files noted in the CIS criteria, including:

  • /etc/bashrc
  • /etc/profile
  • /etc/profile.d/*.sh files

Actual Behavior For example I'm working with the Ubuntu 20.04 public cloud AMIs and /etc/profile does not have a umask line by default. When the UBUNTU20-CIS Ansible role is run it fails to add the necessary umask setting in /etc/profile because the task uses a replace instead of lineinfile

Control(s) Affected

  • AUTOMATED | 5.5.4 | PATCH | Ensure default user umask is 027 or more restrictive

Environment (please complete the following information):

  • Ansible Version: 5.3.0
  • Host Python Version: 3.8
  • Ansible Server Python Version: 3.10.2
  • Additional Details:

Additional Notes Anything additional goes here

Possible Solution CIS 5.5.4 tasks should be updated to use lineinfile to handle cases where a file may not already have a umask setting in place. It appears that is how https://github.com/ansible-lockdown/UBUNTU18-CIS handles this criteria

jrbeilke avatar Apr 18 '22 20:04 jrbeilke