Title

Cron programs must not set the umask to a value less restrictive than 077. (Cat III impact)

Discussion

The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit octal number, the first digit representing special access modes is typically ignored or required to be 0.

Check Content

Determine if there are any crontabs by viewing a long listing of the directory. If there are crontabs, examine them to determine what cron jobs exist. Check for any programs specifying an umask. # ls -lL /var/spool/cron/crontabs # cat <crontab file> # grep umask <cron program> If there are no cron jobs present, this vulnerability is not applicable. If any cron job contains an umask value more permissive than 077, this is a finding. Severity Override Guidance: If a cron program sets the umask to 000 or does not restrict the world-writable permission, this becomes a CAT I finding.

Fix Text

Edit cron script files and modify the umask to 077.

Additional Identifiers

Rule ID: SV-227757r854489_rule

Vulnerability ID: V-227757

Group Title: SRG-OS-000312

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.