Profile Applicability:
• Level 1
Description:
The umask setting determines the default file permission bits for newly created files and directories. Configuring a secure umask value for the root user ensures that files created by root have appropriate restrictive permissions, reducing the risk of unauthorized access.
Rationale:
A properly configured umask for the root user minimizes accidental exposure of sensitive files by enforcing restrictive default permissions.
Impact:
Pros:
Enhances security by limiting default file permissions for root-owned files.
Supports compliance with security best practices.
Cons:
Overly restrictive umask may cause operational inconvenience if certain permissions are needed.
Default Value:
Default umask values vary, but often root’s umask is set to 0022 or less restrictive unless explicitly configured.
Pre-requisites:
Root or sudo privileges to configure user environment settings.
Remediation:
Test Plan:
Using Linux command line
- Check the current umask for the root user:
su - root -c 'umask'
Review configuration files where umask may be set, such as /root/.bashrc, /root/.profile, /etc/profile, or /etc/login.defs.
Implementation Plan:
Using Linux command line:
- Configure root’s umask to a secure value (e.g., 027) by adding or modifying in appropriate configuration files, for example in /root/.bashrc:
echo "umask 027" >> /root/.bashrc
Alternatively, set a system-wide umask in /etc/profile or /etc/login.defs:
In /etc/login.defs, set: UMASK 027
Reload shell or reboot system for changes to take effect.
Backout Plan:
Using Linux command line:
Revert umask settings to previous values if necessary by editing configuration files.
Verify the change by checking the umask again.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
umask Command Manual
Linux File Permissions