Check: GEN003220
Solaris 10 SPARC STIG:
GEN003220
(in versions v2 r4 through v2 r1)
Title
Cron programs must not set the umask to a value less restrictive than 077. (Cat III impact)
Discussion
The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit octal number, the first digit representing special access modes is typically ignored or required to be 0.
Check Content
Determine if there are any crontabs by viewing a long listing of the directory. If there are crontabs, examine them to determine what cron jobs exist. Check for any programs specifying an umask. # ls -lL /var/spool/cron/crontabs # cat <crontab file> # grep umask <cron program> If there are no cron jobs present, this vulnerability is not applicable. If any cron job contains an umask value more permissive than 077, this is a finding. Severity Override Guidance: If a cron program sets the umask to 000 or does not restrict the world-writable permission, this becomes a CAT I finding.
Fix Text
Edit cron script files and modify the umask to 077.
Additional Identifiers
Rule ID: SV-226631r854424_rule
Vulnerability ID: V-226631
Group Title: SRG-OS-000312
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-002165 |
The information system enforces organization-defined discretionary access control policies over defined subjects and objects. |
Controls
Number | Title |
---|---|
AC-3 (4) |
Discretionary Access Control |