Profile Applicability:
 • Level 1

Description:
 The umask setting determines the default file permission bits for newly created files and directories. Configuring a secure umask value for the root user ensures that files created by root have appropriate restrictive permissions, reducing the risk of unauthorized access.

Rationale:
 A properly configured 
umask for the root user minimizes accidental exposure of sensitive files by enforcing restrictive default permissions.

Impact:
 Pros:

  • Enhances security by limiting default file permissions for root-owned files.

  • Supports compliance with security best practices.

Cons:

  • Overly restrictive umask may cause operational inconvenience if certain permissions are needed.

Default Value:
 Default umask values vary, but often root’s umask is set to 
0022 or less restrictive unless explicitly configured.

Pre-requisites:

  • Root or sudo privileges to configure user environment settings.

Remediation:

Test Plan:

Using Linux command line

  1. Check the current umask for the root user:
    su - root -c 'umask'
  2. Review configuration files where umask may be set, such as /root/.bashrc/root/.profile/etc/profile, or /etc/login.defs.

Implementation Plan:

Using Linux command line:

  1. Configure root’s umask to a secure value (e.g., 027) by adding or modifying in appropriate configuration files, for example in /root/.bashrc:
    echo "umask 027" >> /root/.bashrc
  2. Alternatively, set a system-wide umask in /etc/profile or /etc/login.defs:

  • In /etc/login.defs, set:
    UMASK 027
  1. Reload shell or reboot system for changes to take effect.

Backout Plan:

Using Linux command line:

  1. Revert umask settings to previous values if necessary by editing configuration files.

  2. Verify the change by checking the umask again.

References:

  • CIS Amazon Linux 2 Benchmark v3.0.0

  • umask Command Manual

  • Linux File Permissions