5.4.4 Ensure default user umask is 027 or more restrictive (Scored) [SecScan]

This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong.
======5.4.4 Ensure default user umask is 027 or more restrictive (Scored)======
=====Profile Applicability=====  
<code>
Level 1 - Server
Level 1 - Workstation 
</code>

=====Description=====
The default ''umask'' determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the ''umask'' command into the standard shell configuration files (''.profile'', ''.bashrc'', etc.) in their home directories.

=====Rationale=====
Setting a very secure default value for ''umask'' ensures that users make a conscious choice about their file permissions. A default ''umask'' setting of ''077'' causes files and directories created by users to not be readable by any other user on the system. A ''umask'' of ''027'' would make files and directories readable by users in the same Unix group, while a ''umask'' of ''022'' would make files readable by every user on the system.

=====Audit===== 
Run the following commands and verify all umask lines returned are 027 or more restrictive.
<Code:bash>
# grep "^umask" /etc/bashrc 
umask 027 
# grep "^umask" /etc/profile 
umask 027
</Code>

=====Remediation===== 
Edit the ''/etc/bashrc'' and ''/etc/profile'' files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:
<Code:bash>
umask 027
</Code>

=====Notes=====
The audit and remediation in this recommendation apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked. \\ \\
Other methods of setting a default user umask exist however the shell configuration files are the last run and will override other settings if they exist therefore our recommendation is to configure in the shell configuration files. If other methods are in use in your environment they should be audited and the shell configs should be verified to not override.