metadata/service/system/cis/cis-5-4-4.yml - salt-formulas/linux - Gitiles

 # CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
 #
 # Description
 # ===========
 # The default umask determines the permissions of files created by users.
 # The user creating the file has the discretion of making their files and
 # directories readable by others via the chmod command. Users who wish to
 # allow their files and directories to be readable by others by default may
 # choose a different default umask by inserting the umask command into the
 # standard shell configuration files ( .profile , .bashrc , etc.) in their
 # home directories.
 #
 # Rationale
 # =========
 # Setting a very secure default value for umask ensures that users make a
 # conscious choice about their file permissions. A default umask setting of
 # 077 causes files and directories created by users to not be readable by
 # any other user on the system. A umask of 027 would make files and
 # directories readable by users in the same Unix group, while a umask of 022
 # would make files readable by every user on the system.
 #
 # Audit
 # =====
 # Run the following commands and verify all umask lines returned are 027 or
 # more restrictive.
 #
 #   # grep "^umask" /etc/bash.bashrc
 #   umask 027
 #   # grep "^umask" /etc/profile
 #   umask 027
 #
 # Remediation
 # ===========
 # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files
 # for any other shell supported on your system) and add or edit any umask
 # parameters as follows:
 #
 #   umask 027
 #
 # Notes
 # =====
 # The audit and remediation in this recommendation apply to bash and shell.
 # If other shells are supported on the system, it is recommended that their
 # configuration files also are checked.
 #
 # Other methods of setting a default user umask exist however the shell
 # configuration files are the last run and will override other settings if
 # they exist therefore our recommendation is to configure in the shell
 # configuration files. If other methods are in use in your environment they
 # should be audited and the shell configs should be verified to not override.
 #
 parameters:
   linux:
     system:
       shell:
         umask: "027"
	# CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
	#
	# Description
	# ===========
	# The default umask determines the permissions of files created by users.
	# The user creating the file has the discretion of making their files and
	# directories readable by others via the chmod command. Users who wish to
	# allow their files and directories to be readable by others by default may
	# choose a different default umask by inserting the umask command into the
	# standard shell configuration files ( .profile , .bashrc , etc.) in their
	# home directories.
	#
	# Rationale
	# =========
	# Setting a very secure default value for umask ensures that users make a
	# conscious choice about their file permissions. A default umask setting of
	# 077 causes files and directories created by users to not be readable by
	# any other user on the system. A umask of 027 would make files and
	# directories readable by users in the same Unix group, while a umask of 022
	# would make files readable by every user on the system.
	#
	# Audit
	# =====
	# Run the following commands and verify all umask lines returned are 027 or
	# more restrictive.
	#
	# # grep "^umask" /etc/bash.bashrc
	# umask 027
	# # grep "^umask" /etc/profile
	# umask 027
	#
	# Remediation
	# ===========
	# Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files
	# for any other shell supported on your system) and add or edit any umask
	# parameters as follows:
	#
	# umask 027
	#
	# Notes
	# =====
	# The audit and remediation in this recommendation apply to bash and shell.
	# If other shells are supported on the system, it is recommended that their
	# configuration files also are checked.
	#
	# Other methods of setting a default user umask exist however the shell
	# configuration files are the last run and will override other settings if
	# they exist therefore our recommendation is to configure in the shell
	# configuration files. If other methods are in use in your environment they
	# should be audited and the shell configs should be verified to not override.
	#
	parameters:
	linux:
	system:
	shell:
	umask: "027"