CIS 5.4.4, 5.4.5 * CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) * CIS 5.4.5 Ensure default user shell timeout is 900 seconds or less (Scored) Related-Prod: PROD-20765 Change-Id: I5ff5e5bc76e1d87432caec70f2b35eec288e9213

commit: ba028c3e95488e07fbe2a01992301d1b52747162 [log] [tgz]
author: Dmitry Teselkin <dteselkin@mirantis.com> Tue Sep 04 13:01:13 2018 +0300
committer: Dmitry Teselkin <dteselkin@mirantis.com> Tue Sep 11 16:33:14 2018 +0300
tree: a74e08d30d378ebff97c5d6b00974f729cf2d781
parent: 5f2c6ce2189edf9080d8d0a28c60e3da1110a5bf [diff]
diff --git a/linux/system/shell.sls b/linux/system/shell.sls
new file mode 100644
index 0000000..29fc1dc
--- /dev/null
+++ b/linux/system/shell.sls

@@ -0,0 +1,45 @@
+{%- from "linux/map.jinja" import system with context %}
+{%- if system.enabled %}
+  {%- if system.shell is defined %}
+
+    {%- if system.shell.umask is defined %}
+etc_bash_bashrc_umask:
+  file.blockreplace:
+    - name: /etc/bash.bashrc
+    - marker_start: "# BEGIN CIS 5.4.4 default user umask"
+    - marker_end: "# END CIS 5.4.4 default user umask"
+    - content: "umask {{ system.shell.umask }}"
+    - append_if_not_found: True
+    - onlyif: test -f /etc/bash.bashrc
+
+etc_profile_umask:
+  file.blockreplace:
+    - name: /etc/profile
+    - marker_start: "# BEGIN CIS 5.4.4 default user umask"
+    - marker_end: "# END CIS 5.4.4 default user umask"
+    - content: "umask {{ system.shell.umask }}"
+    - append_if_not_found: True
+    - onlyif: test -f /etc/profile
+    {%- endif %}
+
+    {%- if system.shell.timeout is defined %}
+etc_bash_bashrc_timeout:
+  file.blockreplace:
+    - name: /etc/bash.bashrc
+    - marker_start: "# BEGIN CIS 5.4.5 default user shell timeout"
+    - marker_end: "# END CIS 5.4.5 default user shell timeout"
+    - content: "TMOUT={{ system.shell.timeout }}"
+    - append_if_not_found: True
+    - onlyif: test -f /etc/bash.bashrc
+
+etc_profile_timeout:
+  file.blockreplace:
+    - name: /etc/profile
+    - marker_start: "# BEGIN CIS 5.4.5 default user shell timeout"
+    - marker_end: "# END CIS 5.4.5 default user shell timeout"
+    - content: "TMOUT={{ system.shell.timeout }}"
+    - append_if_not_found: True
+    - onlyif: test -f /etc/profile
+    {%- endif %}
+  {%- endif %}
+{%- endif %}

diff --git a/tests/pillar/system.sls b/tests/pillar/system.sls
index aa1c7ed..5cfeea7 100644
--- a/tests/pillar/system.sls
+++ b/tests/pillar/system.sls

@@ -410,6 +410,9 @@
     login_defs:
       PASS_MAX_DAYS:
         value: 99
+    shell:
+      umask: '027'
+      timeout: 900
     profile:
       vi_flavors.sh: |
         export PAGER=view
commit	ba028c3e95488e07fbe2a01992301d1b52747162	[log] [tgz]
author	Dmitry Teselkin <dteselkin@mirantis.com>	Tue Sep 04 13:01:13 2018 +0300
committer	Dmitry Teselkin <dteselkin@mirantis.com>	Tue Sep 11 16:33:14 2018 +0300
tree	a74e08d30d378ebff97c5d6b00974f729cf2d781
parent	5f2c6ce2189edf9080d8d0a28c60e3da1110a5bf [diff]