Check: GEN003220
SUSE Linux Enterprise Server v11 for System z STIG:
GEN003220
(in versions v1 r12 through v1 r9)
Title
Cron programs must not set the umask to a value less restrictive than 077. (Cat III impact)
Discussion
The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit octal number, the first digit representing special access modes is typically ignored or required to be 0.
Check Content
Determine if there are any crontabs by viewing a long listing of the directory. If there are crontabs, examine them to determine what cron jobs exist. Check for any programs specifying an umask more permissive than 077: Procedure: # ls -lL /var/spool/cron /var/spool/cron/tabs # ls -lL /etc/crontab /etc/cron.{d,daily,hourly,monthly,weekly} or # ls -lL /etc/cron.*|grep -v deny # cat <crontab file> # grep umask <cron program> If there are no cron jobs present, this vulnerability is not applicable. If any cron job contains an umask more permissive than 077, this is a finding.
Fix Text
Edit cron script files and modify the umask to 077.
Additional Identifiers
Rule ID: SV-45633r1_rule
Vulnerability ID: V-4360
Group Title: GEN003220
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |