# CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) # # Description # =========== # The default umask determines the permissions of files created by users. # The user creating the file has the discretion of making their files and # directories readable by others via the chmod command. Users who wish to # allow their files and directories to be readable by others by default may # choose a different default umask by inserting the umask command into the # standard shell configuration files ( .profile , .bashrc , etc.) in their # home directories. # # Rationale # ========= # Setting a very secure default value for umask ensures that users make a # conscious choice about their file permissions. A default umask setting of # 077 causes files and directories created by users to not be readable by # any other user on the system. A umask of 027 would make files and # directories readable by users in the same Unix group, while a umask of 022 # would make files readable by every user on the system. # # Audit # ===== # Run the following commands and verify all umask lines returned are 027 or # more restrictive. # # # grep "^umask" /etc/bash.bashrc # umask 027 # # grep "^umask" /etc/profile # umask 027 # # Remediation # =========== # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files # for any other shell supported on your system) and add or edit any umask # parameters as follows: # # umask 027 # # Notes # ===== # The audit and remediation in this recommendation apply to bash and shell. # If other shells are supported on the system, it is recommended that their # configuration files also are checked. # # Other methods of setting a default user umask exist however the shell # configuration files are the last run and will override other settings if # they exist therefore our recommendation is to configure in the shell # configuration files. If other methods are in use in your environment they # should be audited and the shell configs should be verified to not override. # parameters: linux: system: shell: umask: "027"