Check: GEN002560
SUSE Linux Enterprise Server v11 for System z STIG:
GEN002560
(in versions v1 r12 through v1 r9)
Title
The system and user default umask must be 077. (Cat II impact)
Discussion
The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a 4-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the user defaults for each account on the system.
Check Content
Check global initialization files for the configured umask value. Procedure: # grep umask /etc/* Check local initialization files for the configured umask value. Procedure: # cut -d: -f6 /etc/passwd |xargs -n1 -IDIR find DIR -name ".*" -type f -maxdepth 1 -exec grep umask {} \; If the system and user default umask is not 077, this a finding. Note: If the default umask is 000 or allows for the creation of world-writable files this becomes a Severity Code I finding.
Fix Text
Edit local and global initialization files that contain "umask" and change them to use 077 instead of the current value.
Additional Identifiers
Rule ID: SV-45205r1_rule
Vulnerability ID: V-808
Group Title: GEN002560
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
The organization implements the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |