Profile Applicability:
• Level 1
Description:
The umask setting determines the default file permission mask for newly created files and directories. Configuring a secure default umask for users ensures that files are created with appropriate restrictive permissions, enhancing system security.
Rationale:
Setting a restrictive default umask minimizes the risk of unauthorized access to user files by enforcing secure file permissions at creation.
Impact:
Pros:
Enhances data confidentiality and integrity by restricting file permissions.
Supports compliance with security best practices.
Cons:
Overly restrictive umask may impact legitimate file sharing or access.
Default Value:
Default umask values vary; typically 0022 or 0002 are common unless explicitly configured.
Pre-requisites:
Root or sudo privileges to modify global shell configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check current default umask settings in global shell config files (e.g., /etc/profile, /etc/bashrc):
grep umask /etc/profile /etc/bashrc
Verify that umask is set to a secure value (e.g., 027).
Implementation Plan:
Using Linux command line:
- Edit global shell configuration files to set the default umask, for example in /etc/profile:
echo "umask 027" >> /etc/profile
Inform users to re-login or source configuration for changes to take effect.
Backout Plan:
Using Linux command line:
Remove or adjust umask settings if necessary.
Verify file creation permissions for users.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
Linux umask Manual