Articles in this section

See more

Rule Check: Home Directory Files Have No Invalid umask Commands

Avatar
dbice
Updated
Follow

 Previous Topic

Next Topic 

Monitoring Server Configuration Security  >  Configuration Policy Rule Checks  >  Home Directory Files Have No Invalid umask Commands

Rule Check: Home Directory Files Have No Invalid umask Commands

The Home Directory Files Have No Invalid umask Commands check verifies that the specified startup scripts in the home directory of the specified user (or users) include only appropriate umask commands.\

If you are adding this check to a configuration policy rule, you specify what umask values are to be considered invalid. In general, umasks with low values are less safe because the result of their application is that overly permissive files are created. Also, because a global umask exists, in most cases it is not appropriate for individual users to override it.

The check examines all matching files in each specified user's home directory. The check fails for an individual user if any matching files contain invalid umask commands, and it passes for that user if not. The check is indeterminate for any user whose account does not exist, or who has no defined home directory, or whose defined home directory does not actually exist.

If the check fails for a given set of umask values, the username, home directory path, filename, and actual umask value are displayed in the scan results.

Note: Files larger than 10KB are ignored, even if they match the file specifications in this check.

ParametersDescription
User(s)

The list of names to check. Can be a single account name, a comma-delimited list of account names (maximum length = 255 characters), or the keyword ALL (must be capitalized - "all" is treated as a username). The UID cannot be used. Wildcards are not supported. Extra spaces are ignored. All usernames are case-sensitive.

Use the NOT operator to specify that all users except the specified ones should be checked.

Some valid examples are:

  • root
  • susang, susanh
  • root, admin, sysadmin204
  • ALL
  • NOT: root, admin

Some examples that will not work:

  • root, 0
File(s)

The list of files to check. Can be any valid path to a single file, a comma-delimited list of paths to individual files, a single wildcard file path, or a comma-delimited list of wildcard file paths. All paths are relative to the specified user's home directory and cannot start with a slash.

Note: The asterisk (*) and the question mark(?) are the acceptable wildcard characters. The asterisk matches any number of filename characters, and the question mark matches any single character.

Some valid examples:

  • .profile
  • .profile, myscripts/.bash_profile
  • myscripts/bash_startup*
  • myscripts/bash_startup?

Some examples that will not work:

  • /home/susanh/myscripts/.bash_profile
  • myscripts/
Should have umask

Specify the desired umask value in octal notation. Wildcards and the NOT operator are supported.

The values entered in this field are the values that are acceptable for umask commands in matching files. If NOT is used, none of the listed values is acceptable.

Some valid examples:

  • 111
  • 111,027
  • 01?, 0*
  • NOT: 025, 022, 020, 01*, 00*

Some examples that will not work:

  • rwxr--r--
  • 0123
Remedial Suggestion (optional)

Optional suggestion

 

 

Download the full PDF of: Monitoring Server Configuration Security

 

Comments

0 comments

Please sign in to leave a comment.

Powered by Zendesk