Ensure the Default Umask is Set Correctly For Interactive Users
Description
Remove the UMASK environment variable from all interactive users initialization files.
Rationale
The umask controls the default access mode assigned to newly created files. A
umask of 077 limits new files to mode 700 or less permissive. Although umask can
be represented as a four-digit number, the first digit representing special
access modes is typically ignored or required to be 0. This requirement
applies to the globally configured system defaults and the local interactive
user defaults for each account on the system.
Shell script
The following script can be run on the host to remediate the issue.
while IFS= read -r dir; do
while IFS= read -r -d '' file; do
if [ "$(basename $file)" != ".bash\_history" ]; then
sed -i 's/^\([\s]\*umask\s\*\)/#\1/g' "$file"
fi
done < <(find $dir -maxdepth 1 -type f -name ".\*" -print0)
done < <(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd)
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Ensure interactive local users are the owners of their respective initialization
files
ansible.builtin.shell:
cmd: |-
for dir in $(awk -F':' '{ if ($3 >= 1000 && $3 != 65534) print $6}' /etc/passwd); do
for file in $(find $dir -maxdepth 1 -type f -name ".\*"); do
if [ "$(basename $file)" != ".bash\_history" ]; then
sed -i 's/^\([\s]\*umask\s\*\)/#\1/g' $file
fi
done
done
tags:
- accounts\_umask\_interactive\_users
- low\_complexity
- low\_disruption
- medium\_severity
- no\_reboot\_needed
- restrict\_strategy
