|
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657 |
- # CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
- #
- # Description
- # ===========
- # The default umask determines the permissions of files created by users.
- # The user creating the file has the discretion of making their files and
- # directories readable by others via the chmod command. Users who wish to
- # allow their files and directories to be readable by others by default may
- # choose a different default umask by inserting the umask command into the
- # standard shell configuration files ( .profile , .bashrc , etc.) in their
- # home directories.
- #
- # Rationale
- # =========
- # Setting a very secure default value for umask ensures that users make a
- # conscious choice about their file permissions. A default umask setting of
- # 077 causes files and directories created by users to not be readable by
- # any other user on the system. A umask of 027 would make files and
- # directories readable by users in the same Unix group, while a umask of 022
- # would make files readable by every user on the system.
- #
- # Audit
- # =====
- # Run the following commands and verify all umask lines returned are 027 or
- # more restrictive.
- #
- # # grep "^umask" /etc/bash.bashrc
- # umask 027
- # # grep "^umask" /etc/profile
- # umask 027
- #
- # Remediation
- # ===========
- # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files
- # for any other shell supported on your system) and add or edit any umask
- # parameters as follows:
- #
- # umask 027
- #
- # Notes
- # =====
- # The audit and remediation in this recommendation apply to bash and shell.
- # If other shells are supported on the system, it is recommended that their
- # configuration files also are checked.
- #
- # Other methods of setting a default user umask exist however the shell
- # configuration files are the last run and will override other settings if
- # they exist therefore our recommendation is to configure in the shell
- # configuration files. If other methods are in use in your environment they
- # should be audited and the shell configs should be verified to not override.
- #
- parameters:
- linux:
- system:
- shell:
- umask: "027"
-
|