diff --git a/defaults/main.yml b/defaults/main.yml
index 411e347..094b776 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -14,6 +14,7 @@ users_default_users: []
 users_default_groups: []
 
 users_global_umask: "022"
+users_session_timeout: 300
 users_pass_min_day: 1
 
 users_global_bash_aliases:
diff --git a/molecule/centos7/converge.yml b/molecule/centos7/converge.yml
index e6d7d2a..7cb2129 100644
--- a/molecule/centos7/converge.yml
+++ b/molecule/centos7/converge.yml
@@ -2,6 +2,7 @@
 - name: Converge
   hosts: all
   vars:
+    users_global_umask: "027"
     users_default_users:
       - name: demouser
         groups:
diff --git a/molecule/rocky8/converge.yml b/molecule/rocky8/converge.yml
index e6d7d2a..7cb2129 100644
--- a/molecule/rocky8/converge.yml
+++ b/molecule/rocky8/converge.yml
@@ -2,6 +2,7 @@
 - name: Converge
   hosts: all
   vars:
+    users_global_umask: "027"
     users_default_users:
       - name: demouser
         groups:
diff --git a/tasks/bash.yml b/tasks/bash.yml
index 64abe8a..1c2346f 100644
--- a/tasks/bash.yml
+++ b/tasks/bash.yml
@@ -1,6 +1,6 @@
 ---
 - block:
-    - name: Override default .bashrc for given users
+    - name: Override default .bashrc
       template:
         src: etc/bashrc.j2
         dest: "{{ item }}"
@@ -9,7 +9,7 @@
         mode: 0644
       loop: "{{ users_bash_bashrc_overrides }}"
 
-    - name: Setup custom bash profile at '/etc/profile.d/custom.sh'
+    - name: Setup custom bash profile
       template:
         src: etc/profile.d/custom.sh.j2
         dest: /etc/profile.d/custom.sh
@@ -17,15 +17,17 @@
         group: root
         mode: 0644
 
-    - name: Set umask to /etc/login.defs
-      lineinfile:
-        path: /etc/login.defs
-        regexp: '^(?P<umask>UMASK\s+).+'
-        line: \g<umask>{{ users_global_umask }}
-        backrefs: yes
-        state: present
+    - name: Set global umask
+      replace:
+        path: "{{ item }}"
+        regexp: '^(?i)(?P<umask>\s+UMASK\s+).+'
+        replace: \g<umask>{{ users_global_umask }}
+      loop:
+        - /etc/bashrc
+        - /etc/csh.cshrc
+        - /etc/profile
 
-    - name: Enforcing minimum password lifetime
+    - name: Enforce minimum password lifetime
       lineinfile:
         path: /etc/login.defs
         regexp: '^(?P<passmin>PASS_MIN_DAYS\s+).+'
diff --git a/tasks/main.yml b/tasks/main.yml
index 69b3a2a..6a74646 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -9,6 +9,8 @@
         - "vars"
       errors: "ignore"
 
+- include_tasks: bash.yml
+
 - include_tasks: "{{ lookup('first_found', params) }}"
   vars:
     params:
@@ -20,4 +22,3 @@
         - "tasks"
 
 - include_tasks: users_keys.yml
-- include_tasks: bash.yml
diff --git a/templates/etc/profile.d/custom.sh.j2 b/templates/etc/profile.d/custom.sh.j2
index e086a25..7b077c3 100644
--- a/templates/etc/profile.d/custom.sh.j2
+++ b/templates/etc/profile.d/custom.sh.j2
@@ -1,6 +1,9 @@
 #jinja2:lstrip_blocks: True
 {{ ansible_managed | comment }}
-umask {{ users_global_umask }}
+
+TMOUT={{ users_session_timeout }}
+readonly TMOUT
+export TMOUT
 
 # are we an interactive shell?
 if [ "$PS1" ]; then