Set Daemon Umask
An XCCDF Rule
Description
The file /etc/init.d/functions
includes initialization
parameters for most or all daemons started at boot time. Many daemons
on the system already individually restrict themselves to
a umask of 077
in their own init scripts. By default, the umask of
022
is set which prevents creation of group- or world-writable files.
To set the umask for daemons expected by the profile, edit the following line:
umask
warning alert: Functionality Warning
Setting the umask to too restrictive a setting can cause serious errors at
runtime.
Rationale
The umask influences the permissions assigned to files created by a process at run time. An unnecessarily permissive umask could result in files being created with insecure permissions.
- ID
- xccdf_org.ssgproject.content_rule_umask_for_daemons
- Severity
- Unknown
- References
- Updated
Remediation - Shell Script
var_umask_for_daemons='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_umask_for_daemons" use="legacy"/>'
grep -q ^umask /etc/init.d/functions && \
sed -i "s/umask.*/umask $var_umask_for_daemons/g" /etc/init.d/functions