Ensure the Default Bash Umask is Set Correctly

umask 027

var\_accounts\_user\_umask='027'






grep -q "^\s\*umask" /etc/bash.bashrc && \
 sed -i -E -e "s/^(\s\*umask).\*/\1 $var\_accounts\_user\_umask/g" /etc/bash.bashrc
if ! [ $? -eq 0 ]; then
 echo "umask $var\_accounts\_user\_umask" >> /etc/bash.bashrc
fi

- name: XCCDF Value var\_accounts\_user\_umask # promote to variable
 set\_fact:
 var\_accounts\_user\_umask: !!str 027
 tags:
 - always

- name: Check if umask in /etc/bashrc is already set
 ansible.builtin.lineinfile:
 path: /etc/bashrc
 regexp: ^(\s\*)umask\s+.\*
 state: absent
 check\_mode: true
 changed\_when: false
 register: umask\_replace
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_bashrc
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Replace user umask in /etc/bashrc
 ansible.builtin.replace:
 path: /etc/bashrc
 regexp: ^(\s\*)umask(\s+).\*
 replace: \g<1>umask\g<2>{{ var\_accounts\_user\_umask }}
 when: umask\_replace.found > 0
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_bashrc
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure the Default umask is Appended Correctly
 ansible.builtin.lineinfile:
 create: true
 path: /etc/bashrc
 line: umask {{ var\_accounts\_user\_umask }}
 when: umask\_replace.found == 0
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_bashrc
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy