Skip to content
ATO Pathways
  Log In

Ensure sudo umask is appropriate - sudo umask

An XCCDF Rule

Description

The sudo umask tag, when specified, will be added the to the user's umask in the command environment. On Red Hat Enterprise Linux 7, the default umask value is 0022. The umask should be configured by making sure that the umask= tag exists in /etc/sudoers configuration file or any sudo configuration snippets in /etc/sudoers.d/.

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

ID
xccdf_org.ssgproject.content_rule_sudo_add_umask
Severity
Medium
References
Updated



Remediation - Ansible

- name: XCCDF Value var_sudo_umask # promote to variable
  set_fact:
    var_sudo_umask: !!str <xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_umask" use="legacy"/>
  tags:
    - always

Remediation - Shell Script



var_sudo_umask='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_sudo_umask" use="legacy"/>'


if /usr/sbin/visudo -qcf /etc/sudoers; then