diff --git a/tasks/bash.yml b/tasks/bash.yml
index 1c2346f..ebe4f37 100644
--- a/tasks/bash.yml
+++ b/tasks/bash.yml
@@ -27,6 +27,14 @@
         - /etc/csh.cshrc
         - /etc/profile
 
+    - name: Set umask in /etc/login.defs
+      lineinfile:
+        path: /etc/login.defs
+        regexp: '^(?P<umask>UMASK\s+).+'
+        line: \g<umask>{{ users_global_umask }}
+        backrefs: yes
+        state: present
+
     - name: Enforce minimum password lifetime
       lineinfile:
         path: /etc/login.defs