forked from ComplianceAsCode/content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rule.yml
43 lines (35 loc) · 1.47 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
documentation_complete: true
title: 'Ensure the Default Umask is Set Correctly in /etc/profile'
description: |-
To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly,
add or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows:
<pre>umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>
rationale: |-
The umask value influences the permissions assigned to files when they are created.
A misconfigured umask value could result in files with excessive permissions that can be read or
written to by unauthorized users.
severity: unknown
identifiers:
cce@rhel7: CCE-80204-1
cce@rhel8: CCE-81035-8
cce@rhcos4: CCE-84262-5
references:
cis@rhel7: 5.4.4
cis@rhel8: 5.5.4
disa: CCI-000366
nist: AC-6(1),CM-6(a)
nist-csf: PR.IP-2
isa-62443-2009: 4.3.4.3.3
cobit5: APO13.01,BAI03.01,BAI03.02,BAI03.03
iso27001-2013: A.14.1.1,A.14.2.1,A.14.2.5,A.6.1.5
cis-csc: '18'
anssi: BP28(R35)
srg: SRG-OS-000480-GPOS-00228
ocil_clause: 'the above command returns no output, or if the umask is configured incorrectly'
ocil: |-
Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/profile</tt> file by
running the following command:
<pre># grep "umask" /etc/profile</pre>
All output must show the value of <tt>umask</tt> set as shown in the below:
<pre># grep "umask" /etc/profile
umask {{{ xccdf_value("var_accounts_user_umask") }}}</pre>