CIS role split and permission safety

roles/cis/tasks/auth.yml

@@ -0,0 +1,15 @@
+---
+- name: Ensure the Default UMASK is Set Correctly
+  ansible.builtin.lineinfile:
+    path: "/mnt/etc/profile"
+    regexp: "^(\\s*)umask\\s+\\d+"
+    line: "umask 027"
+
+- name: Prevent Login to Accounts With Empty Password
+  ansible.builtin.replace:
+    dest: "{{ item }}"
+    regexp: "\\s*nullok"
+    replace: ""
+  loop:
+    - /mnt/etc/pam.d/system-auth
+    - /mnt/etc/pam.d/password-auth