5.4.4 Ensure default user umask is 027 or more restrictive (Scored)
Profile Applicability
Level 1 - Server Level 1 - Workstation
Description
The default umask
determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask
command into the standard shell configuration files (.profile
, .bashrc
, etc.) in their home directories.
Rationale
Setting a very secure default value for umask
ensures that users make a conscious choice about their file permissions. A default umask
setting of 077
causes files and directories created by users to not be readable by any other user on the system. A umask
of 027
would make files and directories readable by users in the same Unix group, while a umask
of 022
would make files readable by every user on the system.
Audit
Run the following commands and verify all umask lines returned are 027 or more restrictive.
# grep "^umask" /etc/bashrc umask 027 # grep "^umask" /etc/profile umask 027
Remediation
Edit the /etc/bashrc
and /etc/profile
files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:
umask 027
Notes
The audit and remediation in this recommendation apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked.
Other methods of setting a default user umask exist however the shell configuration files are the last run and will override other settings if they exist therefore our recommendation is to configure in the shell configuration files. If other methods are in use in your environment they should be audited and the shell configs should be verified to not override.