Ensure the Default Umask is Set Correctly in login.defs
An XCCDF Rule
Description
To ensure the default umask controlled by /etc/login.defs
is set properly,
add or correct the UMASK
setting in /etc/login.defs
to read as follows:
UMASK
Rationale
The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read and written to by unauthorized users.
- ID
- xccdf_org.ssgproject.content_rule_accounts_umask_etc_login_defs
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then
var_accounts_user_umask='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_user_umask" use="legacy"/>'
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)