5.4.8 Ensure Default user umask is 077

Information

The operating system must define default permissions for all authenticated users in such a way that the user can only read and modify their own files.

Rationale:

Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.

Solution

Configure the operating system to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.
Add or edit the line for the UMASK parameter in /etc/login.defs file to 077:
Example: vim /etc/login.defs
Add, uncomment or update the following line:

UMASK 077

Notes:

This Benchmark recommendation maps to:

Red Hat Enterprise Linux 7 Security Technical Implementation Guide:

Version 2, Release: 3 Benchmark Date: 26 Apr 2019



Vul ID: V-71995

Rule ID: SV-86619r2_rule

STIG ID: RHEL-07-020240

Severity: CAT II

See Also

https://workbench.cisecurity.org/files/2688

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3(4)(d)

Plugin: Unix

Control ID: e839e4448ca98df0fcc5aa52fda808ab1c543d597dbf7bbcdaf5157cbdff6e6b