Ensure the Default C Shell Umask is Set Correctly
Description
To ensure the default umask for users of the C shell is set properly,
add or correct the umask
setting in /etc/csh.cshrc
to read as follows:
Rationale
The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
Shell script
The following script can be run on the host to remediate the issue.
var\_accounts\_user\_umask='027'
grep -q "^\s\*umask" /etc/csh.cshrc && \
sed -i -E -e "s/^(\s\*umask).\*/\1 $var\_accounts\_user\_umask/g" /etc/csh.cshrc
if ! [ $? -eq 0 ]; then
echo "umask $var\_accounts\_user\_umask" >> /etc/csh.cshrc
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: XCCDF Value var\_accounts\_user\_umask # promote to variable
set\_fact:
var\_accounts\_user\_umask: !!str 027
tags:
- always
- name: Check if umask in /etc/csh.cshrc is already set
ansible.builtin.lineinfile:
path: /etc/csh.cshrc
regexp: ^(\s\*)umask\s+.\*
state: absent
check\_mode: true
changed\_when: false
register: umask\_replace
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts\_umask\_etc\_csh\_cshrc
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Replace user umask in /etc/csh.cshrc
ansible.builtin.replace:
path: /etc/csh.cshrc
regexp: ^(\s\*)umask(\s+).\*
replace: \g<1>umask\g<2>{{ var\_accounts\_user\_umask }}
when: umask\_replace.found > 0
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts\_umask\_etc\_csh\_cshrc
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Ensure the Default umask is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/csh.cshrc
line: umask {{ var\_accounts\_user\_umask }}
when: umask\_replace.found == 0
tags:
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- accounts\_umask\_etc\_csh\_cshrc
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy