Ensure the Default Umask is Set Correctly in /etc/profile

Docs > Datadog Security > OOTB Rules > Ensure the Default Umask is Set Correctly in /etc/profile

Classification:

compliance

Framework:

Control:

Description

To ensure the default umask controlled by /etc/profile is set properly, add or correct the umask setting in /etc/profile to read as follows:

umask 027

Note that /etc/profile also reads scrips within /etc/profile.d directory. These scripts are also valid files to set umask value. Therefore, they should also be considered during the check and properly remediated, if necessary.

Rationale

The umask value influences the permissions assigned to files when they are created. A misconfigured umask value could result in files with excessive permissions that can be read or written to by unauthorized users.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

var\_accounts\_user\_umask='027'


readarray -t profile\_files < <(find /etc/profile.d/ -type f -name '\*.sh' -or -name 'sh.local')

for file in "${profile\_files[@]}" /etc/profile; do
 grep -qE '^[^#]\*umask' "$file" && sed -i "s/umask.\*/umask $var\_accounts\_user\_umask/g" "$file"
done

if ! grep -qrE '^[^#]\*umask' /etc/profile\*; then
 echo "umask $var\_accounts\_user\_umask" >> /etc/profile
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: XCCDF Value var\_accounts\_user\_umask # promote to variable
 set\_fact:
 var\_accounts\_user\_umask: !!str 027
 tags:
 - always

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Locate Profile
 Configuration Files Where umask Is Defined
 ansible.builtin.find:
 paths:
 - /etc/profile.d
 patterns:
 - sh.local
 - '\*.sh'
 contains: ^[\s]\*umask\s+\d+
 register: result\_profile\_d\_files
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_profile
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Replace Existing
 umask Value in Files From /etc/profile.d
 ansible.builtin.replace:
 path: '{{ item.path }}'
 regexp: ^(\s\*)umask\s+\d+
 replace: \1umask {{ var\_accounts\_user\_umask }}
 loop: '{{ result\_profile\_d\_files.files }}'
 register: result\_umask\_replaced\_profile\_d
 when: result\_profile\_d\_files.matched
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_profile
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Is
 Set in /etc/profile if Not Already Set Elsewhere
 ansible.builtin.lineinfile:
 create: true
 mode: 420
 path: /etc/profile
 line: umask {{ var\_accounts\_user\_umask }}
 when: not result\_profile\_d\_files.matched
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_profile
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy

- name: Ensure the Default Umask is Set Correctly in /etc/profile - Ensure umask Value
 For All Existing umask Definition in /etc/profile
 ansible.builtin.replace:
 path: /etc/profile
 regexp: ^(\s\*)umask\s+\d+
 replace: \1umask {{ var\_accounts\_user\_umask }}
 register: result\_umask\_replaced\_profile
 tags:
 - NIST-800-53-AC-6(1)
 - NIST-800-53-CM-6(a)
 - PCI-DSSv4-8.6.1
 - accounts\_umask\_etc\_profile
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy