#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  5.4.4   Ensure the default user umask is 027 or more restrictive
#  5.4.5   Ensure the default user shell timeout is 900 seconds or less
#----------------------------------------------------------------------

#
# Naturally if we want to pass this, at least with AWS inspector we can't follow
# best practise and add a drop-in in /etc/profile.d, we have to hack at the main
# bashrc / profile files
#
for x in /etc/profile /etc/bashrc; do

    # Force umask to 0027
    if ! grep -qP '^\s*umask\s+027(\s|$)' ${x}; then
        sed -i -re 's/umask 0?0(02|22|27)/umask 027 # [ng-encis] Ensure the default user umask is 027 or more restrictive (CIS 5.4.4)/g' ${x}
    fi

    # Force default TMOUT of 900
    if ! grep -qP '^\s*TMOUT=900(\s|$)' ${x}; then
        echo 'TMOUT=900    # [ne-encis] Ensure the default user shell time out is 900 seconds or less (CIS 5.4.5)' >>${x}
        echo 'export TMOUT # [ne-encis] Ensure the default user shell time out is 900 seconds or less (CIS 5.4.5)' >>${x}
    fi

done
