45 lines
1.5 KiB
YAML
45 lines
1.5 KiB
YAML
---
|
|
- name: Ensure the Default UMASK is Set Correctly
|
|
when: cis_effective_rules.umask_default | default(false)
|
|
ansible.builtin.lineinfile:
|
|
path: "/mnt/etc/profile"
|
|
regexp: "^(\\s*)umask\\s+\\d+"
|
|
line: "umask {{ cis_cfg.umask_profile }}"
|
|
|
|
- name: Set the login.defs UMASK (CIS L1+)
|
|
when:
|
|
- cis_effective_rules.umask_default | default(false)
|
|
- cis_strict | default(false)
|
|
ansible.builtin.lineinfile:
|
|
path: /mnt/etc/login.defs
|
|
regexp: '^\s*#?\s*UMASK\b'
|
|
line: "UMASK\t\t{{ cis_cfg.umask_profile }}"
|
|
|
|
# authselect regenerates system-auth from the profile, so a direct edit is lost
|
|
# on the next apply; without-nullok is the supported way to drop nullok there.
|
|
- name: Prevent Login to Accounts With Empty Password (authselect)
|
|
when:
|
|
- cis_effective_rules.empty_password_login | default(false)
|
|
- is_authselect | bool
|
|
ansible.builtin.command: "{{ chroot_command }} authselect enable-feature without-nullok"
|
|
register: cis_nullok_result
|
|
changed_when: cis_nullok_result.rc == 0
|
|
|
|
# Non-RHEL/non-Debian distros: loop evaluates to [] (intentional skip)
|
|
- name: Prevent Login to Accounts With Empty Password
|
|
when: cis_effective_rules.empty_password_login | default(false)
|
|
ansible.builtin.replace:
|
|
dest: "{{ item }}"
|
|
regexp: "\\s*nullok"
|
|
replace: ""
|
|
loop: >-
|
|
{{
|
|
['/mnt/etc/pam.d/system-auth', '/mnt/etc/pam.d/password-auth']
|
|
if is_rhel | bool
|
|
else (
|
|
['/mnt/etc/pam.d/common-auth', '/mnt/etc/pam.d/common-password']
|
|
if is_debian | bool
|
|
else []
|
|
)
|
|
}}
|