Set Daemon Umask

An XCCDF Rule

Description

The file /etc/init.d/functions includes initialization parameters for most or all daemons started at boot time. Many daemons on the system already individually restrict themselves to a umask of 077 in their own init scripts. By default, the umask of 022 is set which prevents creation of group- or world-writable files. To set the umask for daemons expected by the profile, edit the following line:

umask

warning alert: Functionality Warning

Setting the umask to too restrictive a setting can cause serious errors at runtime.

Rationale

The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.

ID: xccdf_org.ssgproject.content_rule_umask_for_daemons
Severity: Unknown
References: 12 13 14 15 16 18 3 5

APO01.06 DSS05.04 DSS05.07 DSS06.02

4.3.3.7.3

SR 2.1 SR 5.2

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6(1) CM-6(a)

PR.AC-4 PR.DS-5
Updated: about 1 year ago


var_umask_for_daemons='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_umask_for_daemons" use="legacy"/>'


grep -q ^umask /etc/init.d/functions && \
  sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functionsif ! [ $? -eq 0 ]; then
    echo "umask $var_umask_for_daemons" >> /etc/init.d/functions
fi

Set Daemon Umask

Description

Rationale

Remediation - Shell Script