瀏覽代碼
CIS 5.4.4
* 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) Change-Id: Idc219e7f6e8ab4b7e3d24a36f95f8aab4eff3160 Related-Prod: PROD-18386pull/170/head
Dmitry Teselkin
6 年之前
+ 57
- 0
metadata/service/system/cis/cis-5-4-4.yml
查看文件
| @@ -0,0 +1,57 @@ | |||
| # CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) | |||
| # | |||
| # Description | |||
| # =========== | |||
| # The default umask determines the permissions of files created by users. | |||
| # The user creating the file has the discretion of making their files and | |||
| # directories readable by others via the chmod command. Users who wish to | |||
| # allow their files and directories to be readable by others by default may | |||
| # choose a different default umask by inserting the umask command into the | |||
| # standard shell configuration files ( .profile , .bashrc , etc.) in their | |||
| # home directories. | |||
| # | |||
| # Rationale | |||
| # ========= | |||
| # Setting a very secure default value for umask ensures that users make a | |||
| # conscious choice about their file permissions. A default umask setting of | |||
| # 077 causes files and directories created by users to not be readable by | |||
| # any other user on the system. A umask of 027 would make files and | |||
| # directories readable by users in the same Unix group, while a umask of 022 | |||
| # would make files readable by every user on the system. | |||
| # | |||
| # Audit | |||
| # ===== | |||
| # Run the following commands and verify all umask lines returned are 027 or | |||
| # more restrictive. | |||
| # | |||
| # # grep "^umask" /etc/bash.bashrc | |||
| # umask 027 | |||
| # # grep "^umask" /etc/profile | |||
| # umask 027 | |||
| # | |||
| # Remediation | |||
| # =========== | |||
| # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files | |||
| # for any other shell supported on your system) and add or edit any umask | |||
| # parameters as follows: | |||
| # | |||
| # umask 027 | |||
| # | |||
| # Notes | |||
| # ===== | |||
| # The audit and remediation in this recommendation apply to bash and shell. | |||
| # If other shells are supported on the system, it is recommended that their | |||
| # configuration files also are checked. | |||
| # | |||
| # Other methods of setting a default user umask exist however the shell | |||
| # configuration files are the last run and will override other settings if | |||
| # they exist therefore our recommendation is to configure in the shell | |||
| # configuration files. If other methods are in use in your environment they | |||
| # should be audited and the shell configs should be verified to not override. | |||
| # | |||
| parameters: | |||
| linux: | |||
| system: | |||
| shell: | |||
| umask: "027" | |||
+ 1
- 0
metadata/service/system/cis/init.yml
查看文件
| @@ -35,6 +35,7 @@ classes: | |||
| - service.linux.system.cis.cis-5-4-1-2 | |||
| - service.linux.system.cis.cis-5-4-1-3 | |||
| - service.linux.system.cis.cis-5-4-1-4 | |||
| - service.linux.system.cis.cis-5-4-4 | |||
| - service.linux.system.cis.cis-6-1-2 | |||
| - service.linux.system.cis.cis-6-1-3 | |||
| - service.linux.system.cis.cis-6-1-4 | |||
Loading…