STIGhubSTIGhub
STIGsRMF ControlsCompare
STIGhub— A free STIG search and compliance tool·STIGs updated 3 days ago
Powered by Pylon·Privacy·Terms·© 2026 Beacon Cloud Solutions, Inc.
← Back to Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

V-269236

CAT II (Medium)

AlmaLinux OS 9 must define default permissions for PAM users.

Rule ID

SV-269236r1050118_rule

STIG

Cloud Linux AlmaLinux OS 9 Security Technical Implementation Guide

Version

V1R6

CCIs

CCI-000366

Discussion

Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access. With a UMASK of 077, files will be created with 0600 permissions (owner read/write only) and directories will have 0700 permissions (owner read/write/execute only).

Check Content

Verify that the "pam_umask" module is enabled with the following command:

$ grep -i umask /etc/pam.d/*

/etc/pam.d/postlogin:session optional pam_umask.so silent umask=0022

If a "pam_umask.so" line is not returned, this is a finding.

If the "umask" setting is set to anything other than "0077", this is a finding.

Note: If the "umask" setting is not found, it will use the default UMASK entry in /etc/login.defs.

Fix Text

Configure AlmaLinux OS 9 to define default permissions for all authenticated users so the user can only read and modify their own files.

Add or edit the following line at the top of /etc/pam.d/postlogin:

session     optional     pam_umask.so silent