Title

The default umask for FTP users must be 077. (Cat III impact)

Discussion

Setting a very secure default value for umask ensures that users make a conscious choice about their file permissions.

Check Content

The package service/network/ftp must be installed for this check. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Determine if the FTP umask is set to 077. # egrep -i "^UMASK" /etc/proftpd.conf | awk '{ print $2 }' If 077 is not displayed, this is a finding.

Fix Text

The root role is required. # pkg list service/network/ftp If the output of this command is: pkg list: no packages matching 'service/network/ftp' installed no further action is required. Otherwise, edit the FTP configuration file. # pfedit /etc/proftpd.conf Locate the line containing: Umask Change the line to read: Umask 077

Additional Identifiers

Rule ID: SV-216107r603268_rule

Vulnerability ID: V-216107

Group Title: SRG-OS-000480

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.