Ensure the Default C Shell Umask is Set Correctly

Docs > Datadog Security > OOTB Rules > Ensure the Default C Shell Umask is Set Correctly

Classification:

compliance

Framework:

Control:

Description

To ensure the default umask for users of the C shell is set properly, add or correct the umask setting in /etc/csh.cshrc to read as follows:

umask 027

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

var\_accounts\_user\_umask='027'


grep -q "^\s\*umask" /etc/csh.cshrc && \
 sed -i -E -e "s/^(\s\*umask).\*/\1 $var\_accounts\_user\_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
 echo "umask $var\_accounts\_user\_umask" >> /etc/csh.cshrc
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_accounts\_user\_umask # promote to variable
 set\_fact:
 var\_accounts\_user\_umask: !!str 027
 tags:
 - always

- name: Check if umask in /etc/csh.cshrc is already set
 ansible.builtin.lineinfile:
 path: /etc/csh.cshrc
 regexp: ^(\s\*)umask\s+.\*
 state: absent
 check\_mode: true
 changed\_when: false
 register: umask\_replace
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - accounts\_umask\_etc\_csh\_cshrc
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Replace user umask in /etc/csh.cshrc
 ansible.builtin.replace:
 path: /etc/csh.cshrc
 regexp: ^(\s\*)umask(\s+).\*
 replace: \g<1>umask\g<2>{{ var\_accounts\_user\_umask }}
 when: umask\_replace.found > 0
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - accounts\_umask\_etc\_csh\_cshrc
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure the Default umask is Appended Correctly
 ansible.builtin.lineinfile:
 create: true
 path: /etc/csh.cshrc
 line: umask {{ var\_accounts\_user\_umask }}
 when: umask\_replace.found == 0
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - accounts\_umask\_etc\_csh\_cshrc
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy