Run the following to verify the default user umask is set to 027(octal) or u=rwx,g=rx,o= (Symbolic) to enforce newly created directories' permissions to be 750 (drwxr-x---), and newly created file's permissions be 640 (rw-r-----), or more restrictive:
#!/usr/bin/env bash{l_output=""l_output2=""file_umask_chk(){ifgrep-Psiq--'^\h*umask\h+(0?[0-7][2-7]7|u(=[rwx]{0,3}),g=([rx]{0,2}),o=)(\h*#.*)?$'"$l_file";thenl_output="$l_output\n - umask is set correctly in \"$l_file\""elifgrep-Psiq--'^\h*umask\h+(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b|[0-7][0-7][0-6]\b)|(u=[rwx]{1,3},)?(((g=[rx]?[rx]?w[rx]?[rx]?\b)(,o=[rwx]{1,3})?)|((g=[wrx]{1,3},)?o=[wrx]{1,3}\b)))'"$l_file";thenl_output2="$l_output2\n - umask is incorrectly set in \"$l_file\""fi}whileIFS=read-r-d$'\0'l_file;dofile_umask_chk
done<<(find/etc/profile.d/-typef-name'*.sh'-print0)[-z"$l_output"]&&l_file="/etc/profile"&&file_umask_chk
[-z"$l_output"]&&l_file="/etc/bashrc"&&file_umask_chk
[-z"$l_output"]&&l_file="/etc/bash.bashrc"&&file_umask_chk
[-z"$l_output"]&&l_file="/etc/pam.d/postlogin"if[-z"$l_output"];thenifgrep-Psiq--
'^\h*session\h+[^#\n\r]+\h+pam_umask\.so\h+([^#\n\r]+\h+)?umask=(0?[0-7][2-7]7)\b'"$l_file";thenl_output1="$l_output1\n - umask is set correctly in \"$l_file\""elifgrep-Psiq
'^\h*session\h+[^#\n\r]+\h+pam_umask\.so\h+([^#\n\r]+\h+)?umask=(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b))'"$l_file";thenl_output2="$l_output2\n - umask is incorrectly set in \"$l_file\""fifi[-z"$l_output"]&&l_file="/etc/login.defs"&&file_umask_chk
[-z"$l_output"]&&l_file="/etc/default/login"&&file_umask_chk
[[-z"$l_output"&&-z"$l_output2"]]&&l_output2="$l_output2\n - umask is not set"if[-z"$l_output2"];thenecho-e"\n- Audit Result:\n ** PASS **\n - * Correctly configured * :\n$l_output\n"elseecho-e"\n- Audit Result:\n ** FAIL **\n - * Reasons for audit failure * :\n$l_output2"[-n"$l_output"]&&echo-e"\n- * Correctly configured * :\n$l_output\n"fi}
#!/usr/bin/env bash{l_output=""l_output2=""l_out=""file_umask_chk(){ifgrep-Psiq--'^\h*umask\h+(0?[0-7][2-7]7|u(=[rwx]{0,3}),g=([rx]{0,2}),o=)(\h*#.*)?$'"$l_file";thenl_out="$l_out\n - umask is set correctly in \"$l_file\""elifgrep-Psiq--'^\h*umask\h+(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b|[0-7][0-7][0-6]\b)|(u=[rwx]{1,3},)?(((g=[rx]?[rx]?w[rx]?[rx]?\b)(,o=[rwx]{1,3})?)|((g=[wrx]{1,3},)?o=[wrx]{1,3}\b)))'"$l_file";thenl_output2="$l_output2\n- \"$l_file\""fi}whileIFS=read-r-d$'\0'l_file;dofile_umask_chk
done<<(find/etc/profile.d/-typef-name'*.sh'-print0)[-n"$l_out"]&&l_output="$l_out"l_file="/etc/profile"&&file_umask_chk
l_file="/etc/bashrc"&&file_umask_chk
l_file="/etc/bash.bashrc"&&file_umask_chk
l_file="/etc/pam.d/postlogin"ifgrep-Psiq
'^\h*session\h+[^#\n\r]+\h+pam_umask\.so\h+([^#\n\r]+\h+)?umask=(([0-7][0-7][01][0-7]\b|[0-7][0-7][0-7][0-6]\b)|([0-7][01][0-7]\b))'"$l_file";thenl_output2="$l_output2\n- \"$l_file\""fil_file="/etc/login.defs"&&file_umask_chk
l_file="/etc/default/login"&&file_umask_chk
if[-z"$l_output2"];thenecho-e" - No files contain a UMASK that is not restrictive enough\nNo UMASK updates required to existing files"elseecho-e"\n - UMASK is not restrictive enough in the followingfile(s):$l_output2\n\n- Remediation Procedure:\n - Update these files andcomment out the UMASK line\nor update umask to be \"0027\" or morerestrictive"fiif[-n"$l_output"];thenecho-e"$l_output"elseecho-e" - Configure UMASK in a file in the \"/etc/profile.d/\"directory ending in \".sh\"\n\nExample Command (Hash to represent beingrun at a root prompt):\n\n# printf '%s\\\n' \"umask 027\" >/etc/profile.d/50-systemwide_umask.sh\n"fi}
Notes:
- This method only applies to bash and shell. If other shells are supported on the system, it is recommended that their configuration files also are checked
- If the pam_umask.so module is going to be used to set umask, ensure that it's not being overridden by another setting. Refer to the PAM_UMASK(8) man page for more information