Ensure the Default Umask is Set Correctly For Interactive Users

Classification:

compliance

Framework:

Control:

Description

Remove the UMASK environment variable from all interactive users initialization files.

Rationale

The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

while IFS= read -r dir; do
 while IFS= read -r -d '' file; do
 if [ "$(basename $file)" != ".bash\_history" ]; then
 sed -i 's/^\([\s]\*umask\s\*\)/#\1/g' "$file"
 fi
 done < <(find $dir -maxdepth 1 -type f -name ".\*" -print0)
done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd)

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Ensure interactive local users are the owners of their respective initialization
 files
 ansible.builtin.shell:
 cmd: |-
 for dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd); do
 for file in $(find $dir -maxdepth 1 -type f -name ".\*"); do
 if [ "$(basename $file)" != ".bash\_history" ]; then
 sed -i 's/^\([\s]\*umask\s\*\)/#\1/g' $file
 fi
 done
 done
 tags:
 - accounts\_umask\_interactive\_users
 - low\_complexity
 - low\_disruption
 - medium\_severity
 - no\_reboot\_needed
 - restrict\_strategy