| Dmitry Teselkin | 579f6df | 2018-09-28 16:05:30 +0300 | [diff] [blame] | 1 | # CIS 5.4.4 Ensure default user umask is 027 or more restrictive (Scored) |
| 2 | # |
| 3 | # Description |
| 4 | # =========== |
| 5 | # The default umask determines the permissions of files created by users. |
| 6 | # The user creating the file has the discretion of making their files and |
| 7 | # directories readable by others via the chmod command. Users who wish to |
| 8 | # allow their files and directories to be readable by others by default may |
| 9 | # choose a different default umask by inserting the umask command into the |
| 10 | # standard shell configuration files ( .profile , .bashrc , etc.) in their |
| 11 | # home directories. |
| 12 | # |
| 13 | # Rationale |
| 14 | # ========= |
| 15 | # Setting a very secure default value for umask ensures that users make a |
| 16 | # conscious choice about their file permissions. A default umask setting of |
| 17 | # 077 causes files and directories created by users to not be readable by |
| 18 | # any other user on the system. A umask of 027 would make files and |
| 19 | # directories readable by users in the same Unix group, while a umask of 022 |
| 20 | # would make files readable by every user on the system. |
| 21 | # |
| 22 | # Audit |
| 23 | # ===== |
| 24 | # Run the following commands and verify all umask lines returned are 027 or |
| 25 | # more restrictive. |
| 26 | # |
| 27 | # # grep "^umask" /etc/bash.bashrc |
| 28 | # umask 027 |
| 29 | # # grep "^umask" /etc/profile |
| 30 | # umask 027 |
| 31 | # |
| 32 | # Remediation |
| 33 | # =========== |
| 34 | # Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files |
| 35 | # for any other shell supported on your system) and add or edit any umask |
| 36 | # parameters as follows: |
| 37 | # |
| 38 | # umask 027 |
| 39 | # |
| 40 | # Notes |
| 41 | # ===== |
| 42 | # The audit and remediation in this recommendation apply to bash and shell. |
| 43 | # If other shells are supported on the system, it is recommended that their |
| 44 | # configuration files also are checked. |
| 45 | # |
| 46 | # Other methods of setting a default user umask exist however the shell |
| 47 | # configuration files are the last run and will override other settings if |
| 48 | # they exist therefore our recommendation is to configure in the shell |
| 49 | # configuration files. If other methods are in use in your environment they |
| 50 | # should be audited and the shell configs should be verified to not override. |
| 51 | # |
| 52 | parameters: |
| 53 | linux: |
| 54 | system: |
| 55 | shell: |
| 56 | umask: "027" |
| 57 | |