5.4.4 Ensure default user umask is 027 or more restrictive (Scored)

Level 1 - Server
Level 1 - Workstation 

The default umask determines the permissions of files created by users. The user creating the file has the discretion of making their files and directories readable by others via the chmod command. Users who wish to allow their files and directories to be readable by others by default may choose a different default umask by inserting the umask command into the standard shell configuration files (.profile, .bashrc, etc.) in their home directories.

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions. A default umask setting of 077 causes files and directories created by users to not be readable by any other user on the system. A umask of 027 would make files and directories readable by users in the same Unix group, while a umask of 022 would make files readable by every user on the system.

Run the following commands and verify all umask lines returned are 027 or more restrictive.

# grep "^umask" /etc/bash.bashrc 
umask 027 
# grep "^umask" /etc/profile 
umask 027

Edit the /etc/bash.bashrc and /etc/profile files (and the appropriate files for any other shell supported on your system) and add or edit any umask parameters as follows:

umask 027

The audit and remediation in this recommendation apply to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked.

Other methods of setting a default user umask exist however the shell configuration files are the last run and will override other settings if they exist therefore our recommendation is to configure in the shell configuration files. If other methods are in use in your environment they should be audited and the shell configs should be verified to not override.

  • ubuntu1604/5/4/4.txt
  • Last modified: 2017/05/04 13:19
  • by