ExternalMirrors
/
linux-formula
mirror of https://github.com/salt-formulas/salt-formula-linux
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 8 Wiki Activity
Saltstack Official Linux Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
778 Commits
26 Branches
Branch: master
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'master'
${ noResults }
linux-formula/metadata/service/system/cis/cis-5-4-4.yml

58 lines
2.1KB
Raw Permalink Blame History 

  1. # CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)

  2. #

  3. # Description

  4. # ===========

  5. # The default umask determines the permissions of files created by users.

  6. # The user creating the file has the discretion of making their files and

  7. # directories readable by others via the chmod command. Users who wish to

  8. # allow their files and directories to be readable by others by default may

  9. # choose a different default umask by inserting the umask command into the

  10. # standard shell configuration files ( .profile , .bashrc , etc.) in their

  11. # home directories.

  12. #

  13. # Rationale

  14. # =========

  15. # Setting a very secure default value for umask ensures that users make a

  16. # conscious choice about their file permissions. A default umask setting of

  17. # 077 causes files and directories created by users to not be readable by

  18. # any other user on the system. A umask of 027 would make files and

  19. # directories readable by users in the same Unix group, while a umask of 022

  20. # would make files readable by every user on the system.

  21. #

  22. # Audit

  23. # =====

  24. # Run the following commands and verify all umask lines returned are 027 or

  25. # more restrictive.

  26. #

  27. #   # grep "^umask" /etc/bash.bashrc

  28. #   umask 027

  29. #   # grep "^umask" /etc/profile

  30. #   umask 027

  31. #

  32. # Remediation

  33. # ===========

  34. # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files

  35. # for any other shell supported on your system) and add or edit any umask

  36. # parameters as follows:

  37. #

  38. #   umask 027

  39. #

  40. # Notes

  41. # =====

  42. # The audit and remediation in this recommendation apply to bash and shell.

  43. # If other shells are supported on the system, it is recommended that their

  44. # configuration files also are checked.

  45. #

  46. # Other methods of setting a default user umask exist however the shell

  47. # configuration files are the last run and will override other settings if

  48. # they exist therefore our recommendation is to configure in the shell

  49. # configuration files. If other methods are in use in your environment they

  50. # should be audited and the shell configs should be verified to not override.

  51. #

  52. parameters:

  53.   linux:

  54.     system:

  55.       shell:

  56.         umask: "027"