mcp-jenkins
6 years ago
2 changed files with 58 additions and 0 deletions
+ 57
- 0
metadata/service/system/cis/cis-5-4-4.yml
View File
| # CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) | |||||
| # | |||||
| # Description | |||||
| # =========== | |||||
| # The default umask determines the permissions of files created by users. | |||||
| # The user creating the file has the discretion of making their files and | |||||
| # directories readable by others via the chmod command. Users who wish to | |||||
| # allow their files and directories to be readable by others by default may | |||||
| # choose a different default umask by inserting the umask command into the | |||||
| # standard shell configuration files ( .profile , .bashrc , etc.) in their | |||||
| # home directories. | |||||
| # | |||||
| # Rationale | |||||
| # ========= | |||||
| # Setting a very secure default value for umask ensures that users make a | |||||
| # conscious choice about their file permissions. A default umask setting of | |||||
| # 077 causes files and directories created by users to not be readable by | |||||
| # any other user on the system. A umask of 027 would make files and | |||||
| # directories readable by users in the same Unix group, while a umask of 022 | |||||
| # would make files readable by every user on the system. | |||||
| # | |||||
| # Audit | |||||
| # ===== | |||||
| # Run the following commands and verify all umask lines returned are 027 or | |||||
| # more restrictive. | |||||
| # | |||||
| # # grep "^umask" /etc/bash.bashrc | |||||
| # umask 027 | |||||
| # # grep "^umask" /etc/profile | |||||
| # umask 027 | |||||
| # | |||||
| # Remediation | |||||
| # =========== | |||||
| # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files | |||||
| # for any other shell supported on your system) and add or edit any umask | |||||
| # parameters as follows: | |||||
| # | |||||
| # umask 027 | |||||
| # | |||||
| # Notes | |||||
| # ===== | |||||
| # The audit and remediation in this recommendation apply to bash and shell. | |||||
| # If other shells are supported on the system, it is recommended that their | |||||
| # configuration files also are checked. | |||||
| # | |||||
| # Other methods of setting a default user umask exist however the shell | |||||
| # configuration files are the last run and will override other settings if | |||||
| # they exist therefore our recommendation is to configure in the shell | |||||
| # configuration files. If other methods are in use in your environment they | |||||
| # should be audited and the shell configs should be verified to not override. | |||||
| # | |||||
| parameters: | |||||
| linux: | |||||
| system: | |||||
| shell: | |||||
| umask: "027" | |||||
+ 1
- 0
metadata/service/system/cis/init.yml
View File
| - service.linux.system.cis.cis-5-4-1-2 | - service.linux.system.cis.cis-5-4-1-2 | ||||
| - service.linux.system.cis.cis-5-4-1-3 | - service.linux.system.cis.cis-5-4-1-3 | ||||
| - service.linux.system.cis.cis-5-4-1-4 | - service.linux.system.cis.cis-5-4-1-4 | ||||
| - service.linux.system.cis.cis-5-4-4 | |||||
| - service.linux.system.cis.cis-6-1-2 | - service.linux.system.cis.cis-6-1-2 | ||||
| - service.linux.system.cis.cis-6-1-3 | - service.linux.system.cis.cis-6-1-3 | ||||
| - service.linux.system.cis.cis-6-1-4 | - service.linux.system.cis.cis-6-1-4 |
Loading…