Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Issue with Regex looking for umask value in bashrc (5.6.5) #66

Closed
5fxKu8VV8n opened this issue Jun 20, 2023 · 2 comments
Closed

Issue with Regex looking for umask value in bashrc (5.6.5) #66

5fxKu8VV8n opened this issue Jun 20, 2023 · 2 comments
Assignees
Labels
bug Something isn't working

Comments

@5fxKu8VV8n
Copy link

Describe the Issue
In the task named "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive", ansible task is looking for the umask value in /etc/bashrc, /etc/profile and /etc/login.defs and the patch has to replace the actual value of umask (for example umask 022) to umask 027.
But it seems that, after testing the regex (^(?i)(\s+UMASK|UMASK)\s0[0-2][0-6]) using the line i have in my file /etc/bashrc ([ umask -eq 0 ] && umask 022), it does not match anything.

Expected Behavior
I expect that my /etc/bashrc has umask set to 027 after running the CIS compliance playbook.

Actual Behavior
After running the playbook, the value of umask in /etc/bashrc is still 022 and oscap compliance to cis is still not validated for this task.

Control(s) Affected
"Ensure the Default Bash Umask is Set Correctly"

Environment :

  • branch being used: devel
  • Ansible Version: 2.8.7
  • Host Python Version: 2.7.5
  • Ansible Server Python Version: 2.8.7

Possible Solution
I tried this regex for my case and it seems to work well :
(?i)(umask)\s0[0-2][0-6]

@5fxKu8VV8n 5fxKu8VV8n added the bug Something isn't working label Jun 20, 2023
@uk-bolly
Copy link
Member

hi @byjunks

Thank you for raising this issue, while i can see you are using an older version of ansible (glad its still works for you). You are correct your example would not be caught by the current regex. Feedback and real world examples like this help us to ensure we can capture as many variations as possible. The original regex was only failing as it expected it at the beginning of the line. The solution you have provided is therefor a much cleaner fix. I will add this to a new branch today ready for PR.

many thanks

uk-bolly

uk-bolly added a commit that referenced this issue Jun 28, 2023
Signed-off-by: Mark Bolwell <[email protected]>
@uk-bolly uk-bolly self-assigned this Jun 28, 2023
@uk-bolly uk-bolly mentioned this issue Jun 28, 2023
@snoopyx21
Copy link

Dear,

I want to raise the issue again.
It seems that this line in the file login.defs is not removed :
UMASK 022

I tried with this regex but it doesn't solve the issue : (?i)([uU][mM][aA][sS][kK]\s*\d*)

Best regards,
Constan

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
None yet
Development

No branches or pull requests

3 participants