Ensure sudo umask is appropriate - sudo umask

An XCCDF Rule

Description

The sudo umask tag, when specified, will be added the to the user's umask in the command environment. On Red Hat Enterprise Linux 7, the default umask value is 0022. The umask should be configured by making sure that the umask= tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

ID: xccdf_org.ssgproject.content_rule_sudo_add_umask
Severity: Medium
References: BP28(R58)
Updated: over 1 year ago

Remediation Templates

- name: XCCDF Value var_sudo_umask # promote to variable
  set_fact:
    var_sudo_umask: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_umask" use="legacy"/>
  tags:
    - always
- name: Ensure umask is enabled with the appropriate value in /etc/sudoers  lineinfile:
    path: /etc/sudoers
    regexp: ^[\s]*Defaults\s(.*)\bumask=[-]?.+\b(.*)$
    line: Defaults \1umask={{ var_sudo_umask }}\2
    validate: /usr/sbin/visudo -cf %s
    backrefs: true
  register: edit_sudoers_umask_option
  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_umask

- name: Enable umask option with appropriate value in /etc/sudoers
  lineinfile:
    path: /etc/sudoers
    line: Defaults umask={{ var_sudo_umask }}
    validate: /usr/sbin/visudo -cf %s
  when: edit_sudoers_umask_option is defined and not edit_sudoers_umask_option.changed
  tags:
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - restrict_strategy
  - sudo_add_umask

var_sudo_umask='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_umask" use="legacy"/>'


if /usr/sbin/visudo -qcf /etc/sudoers; then
    cp /etc/sudoers /etc/sudoers.bak
    if ! grep -P '^[\s]*Defaults[\s]*\bumask=\w+\b\b.*$' /etc/sudoers; then        # sudoers file doesn't define Option umask
        echo "Defaults umask=${var_sudo_umask}" >> /etc/sudoers
    else
        # sudoers file defines Option umask, remediate if appropriate value is not set
        if ! grep -P "^[\s]*Defaults.*\bumask=${var_sudo_umask}\b.*$" /etc/sudoers; then
            
            escaped_variable=${var_sudo_umask//$'/'/$'\/'}
            sed -Ei "s/(^[\s]*Defaults.*\bumask=)[-]?.+(\b.*$)/\1$escaped_variable\2/" /etc/sudoers
        fi
    fi
    
    # Check validity of sudoers and cleanup bak
    if /usr/sbin/visudo -qcf /etc/sudoers; then
        rm -f /etc/sudoers.bak
    else
        echo "Fail to validate remediated /etc/sudoers, reverting to original file."
        mv /etc/sudoers.bak /etc/sudoers
        false
    fi
else
    echo "Skipping remediation, /etc/sudoers failed to validate"
    false
fi

Ensure sudo umask is appropriate - sudo umask

Description

Rationale

Remediation Templates

An Ansible Snippet

A Shell Script