← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-808

CAT II (Medium)

The system and user default umask must be 077.

Rule ID

SV-45205r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000366

Discussion

The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask can be represented as a 4-digit number, the first digit representing special access modes is typically ignored or required to be 0. This requirement applies to the globally configured system defaults and the user defaults for each account on the system.

Check Content

Check global initialization files for the configured umask value.
Procedure:
# grep umask /etc/* 

Check local initialization files for the configured umask value.
Procedure: 
# cut -d: -f6 /etc/passwd |xargs -n1 -IDIR find DIR -name ".*" -type f -maxdepth 1 -exec grep umask {} \;

If the system and user default umask is not 077, this a finding. 

Note: If the default umask is 000 or allows for the creation of world-writable files this becomes a Severity Code I finding.

Fix Text

Edit local and global initialization files that contain "umask" and change them to use 077 instead of the current value.