{"description": "To ensure the default umask controlled by <tt>/etc/profile</tt> is set properly,\nadd or correct the <tt>umask</tt> setting in <tt>/etc/profile</tt> to read as follows:\n<pre>umask <sub idref=\"var_accounts_user_umask\" /></pre>\n\nNote that <tt>/etc/profile</tt> also reads scripts within <tt>/etc/profile.d</tt> directory.\nThese scripts are also valid files to set umask value. Therefore, they should also be\nconsidered during the check and properly remediated, if necessary.", "rationale": "The umask value influences the permissions assigned to files when they are created.\nA misconfigured umask value could result in files with excessive permissions that can be read or\nwritten to by unauthorized users.", "severity": "medium", "references": {"cis-csc": ["18"], "cobit5": ["APO13.01", "BAI03.01", "BAI03.02", "BAI03.03"], "isa-62443-2009": ["4.3.4.3.3"], "iso27001-2013": ["A.14.1.1", "A.14.2.1", "A.14.2.5", "A.6.1.5"], "nerc-cip": ["CIP-003-8 R5.1.1", "CIP-003-8 R5.3", "CIP-004-6 R2.3", "CIP-007-3 R2.1", "CIP-007-3 R2.2", "CIP-007-3 R2.3", "CIP-007-3 R5.1", "CIP-007-3 R5.1.1", "CIP-007-3 R5.1.2"], "nist": ["AC-6(1)", "CM-6(a)"], "nist-csf": ["PR.IP-2"], "srg": ["SRG-OS-000480-GPOS-00228", "SRG-OS-000480-GPOS-00227"], "anssi": ["R36"], "cis": ["5.4.3.3"]}, "control_references": {"anssi": ["R36"], "cis": ["5.4.3.3"]}, "components": [], "identifiers": {}, "ocil_clause": "the value for the \"umask\" parameter is not \"<sub idref=\"var_accounts_user_umask\" />\",\nor the \"umask\" parameter is missing or is commented out", "ocil": "Verify the <tt>umask</tt> setting is configured correctly in the <tt>/etc/profile</tt> file\nor scripts within <tt>/etc/profile.d</tt> directory with the following command:\n<pre>$ grep \"umask\" /etc/profile*</pre>\n<pre>umask <sub idref=\"var_accounts_user_umask\" /></pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to define default permissions for all authenticated users in such\na way that the user can only read and modify their own files.\n\nEdit the lines for the \"umask\" parameter in the \"/etc/profile\" file and any other script\nwithin \"/etc/profile.d\" directory to \"<sub idref=\"var_accounts_user_umask\" />\":\n\numask <sub idref=\"var_accounts_user_umask\" />\n\nIf \"umask\" parameter is not yet defined in the \"/etc/profile\" file and any other script within\n\"/etc/profile.d\" directory, add the above shown line at the end of \"/etc/profile\" file.", "checktext": "Verify the \"umask\" setting is configured correctly in the \"/etc/profile\" file or any scripts\nwithin \"/etc/profile.d\" directory with the following command:\nNote: If the value of the \"umask\" parameter is set to \"000\" in any of these files, the\nSeverity is raised to a CAT I.\n$ grep -r umask /etc/profile*\numask <sub idref=\"var_accounts_user_umask\" />\nIf the value for the <tt>umask</tt> parameter is not \"<sub idref=\"var_accounts_user_umask\" />\",\nor the \"umask\" parameter is missing or is commented out, this is a finding.", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must define default permissions for the system default profile.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must define default permissions for the system default profile.", "vuldiscussion": "The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 600 or less permissive. Although umask can be represented as a four-digit number, the first digit representing special access modes is typically ignored or required to be \"0\". This requirement applies to the globally configured system defaults and the local interactive user defaults for each account on the system.", "checktext": "Verify the \"umask\" setting is configured correctly in the \"/etc/profile\" file with the following command:\n\nNote: If the value of the \"umask\" parameter is set to \"000\" \"/etc/profile\" file, the Severity is raised to a CAT I.\n\n$ grep umask /etc/profile\n\numask 077\n\nIf the value for the \"umask\" parameter is not \"077\", or the \"umask\" parameter is missing or is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to define default permissions for all authenticated users in such a way that the user can only read and modify their own files.\n\nAdd or edit the lines for the \"umask\" parameter in the \"/etc/profile\" file to \"077\":\n\numask 077"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure the Default Umask is Set Correctly in /etc/profile", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_etc_profile/rule.yml", "template": null}