An error occurred:

Check: GEN003220

HP-UX 11.31 STIG: GEN003220 (in versions v1 r19 through v1 r13)

Title

Cron programs must not set the umask to a value less restrictive than 077. (Cat III impact)

Discussion

The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit octal number, the first digit representing special access modes is typically ignored or required to be 0.

Check Content

Determine if there are any crontabs by viewing a long listing of the directory. If there are crontabs, examine them to determine what cron jobs exist. Check for any programs specifying an umask. # ls -lL /var/spool/cron/crontabs # cat <crontab file> # grep umask <cron program> If there are no cron jobs present, this vulnerability is not applicable. If any cron job contains an umask value more permissive than 077, this is a finding.

Fix Text

Edit cron script files and modify the umask to 077.

Additional Identifiers

Rule ID: SV-38431r1_rule

Vulnerability ID: V-4360

Group Title: GEN003220

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000225

The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AC-6

Least Privilege