Ensure the Default Umask is Set Correctly in login.defs
Description
To ensure the default umask controlled by /etc/login.defs is set properly,
add or correct the UMASK setting in /etc/login.defs to read as follows:
Rationale
The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read and
written to by unauthorized users.
Shell script
The following script can be run on the host to remediate the issue.
# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}\n' 'login' 2>/dev/null | grep -q installed; then
var\_accounts\_user\_umask='027'
# Strip any search characters in the key arg so that the key can be replaced without
# adding any search characters to the config file.
stripped\_key=$(sed 's/[\^=\$,;+]\*//g' <<< "^UMASK")
# shellcheck disable=SC2059
printf -v formatted\_output "%s %s" "$stripped\_key" "$var\_accounts\_user\_umask"
# If the key exists, change it. Otherwise, add it to the config\_file.
# We search for the key string followed by a word boundary (matched by \>),
# so if we search for 'setting', 'setting2' won't match.
if LC\_ALL=C grep -q -m 1 -i -e "^UMASK\\>" "/etc/login.defs"; then
escaped\_formatted\_output=$(sed -e 's|/|\\/|g' <<< "$formatted\_output")
LC\_ALL=C sed -i --follow-symlinks "s/^UMASK\\>.\*/$escaped\_formatted\_output/gi" "/etc/login.defs"
else
if [[ -s "/etc/login.defs" ]] && [[ -n "$(tail -c 1 -- "/etc/login.defs" || true)" ]]; then
LC\_ALL=C sed -i --follow-symlinks '$a'\\ "/etc/login.defs"
fi
printf '%s\n' "$formatted\_output" >> "/etc/login.defs"
fi
else
>&2 echo 'Remediation is not applicable, nothing was done'
fi
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Gather the package facts
package\_facts:
manager: auto
tags:
- DISA-STIG-UBTU-20-010016
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.6.1
- accounts\_umask\_etc\_login\_defs
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: XCCDF Value var\_accounts\_user\_umask # promote to variable
set\_fact:
var\_accounts\_user\_umask: !!str 027
tags:
- always
- name: Check if UMASK is already set
ansible.builtin.lineinfile:
path: /etc/login.defs
regexp: ^(\s\*)UMASK\s+.\*
state: absent
check\_mode: true
changed\_when: false
register: result\_umask\_is\_set
when: '"login" in ansible\_facts.packages'
tags:
- DISA-STIG-UBTU-20-010016
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.6.1
- accounts\_umask\_etc\_login\_defs
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Replace user UMASK in /etc/login.defs
ansible.builtin.replace:
path: /etc/login.defs
regexp: ^(\s\*)UMASK(\s+).\*
replace: \g<1>UMASK\g<2>{{ var\_accounts\_user\_umask }}
when:
- '"login" in ansible\_facts.packages'
- result\_umask\_is\_set.found > 0
tags:
- DISA-STIG-UBTU-20-010016
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.6.1
- accounts\_umask\_etc\_login\_defs
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
- name: Ensure the Default UMASK is Appended Correctly
ansible.builtin.lineinfile:
create: true
path: /etc/login.defs
line: UMASK {{ var\_accounts\_user\_umask }}
when:
- '"login" in ansible\_facts.packages'
- result\_umask\_is\_set.found == 0
tags:
- DISA-STIG-UBTU-20-010016
- NIST-800-53-AC-6(1)
- NIST-800-53-CM-6(a)
- PCI-DSSv4-8.6.1
- accounts\_umask\_etc\_login\_defs
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
