Rule Check: Home Directory Files Have No Invalid umask Commands

The Home Directory Files Have No Invalid umask Commands check verifies that the specified startup scripts in the home directory of the specified user (or users) include only appropriate umask commands.\

If you are adding this check to a configuration policy rule, you specify what umask values are to be considered invalid. In general, umasks with low values are less safe because the result of their application is that overly permissive files are created. Also, because a global umask exists, in most cases it is not appropriate for individual users to override it.

The check examines all matching files in each specified user's home directory. The check fails for an individual user if any matching files contain invalid umask commands, and it passes for that user if not. The check is indeterminate for any user whose account does not exist, or who has no defined home directory, or whose defined home directory does not actually exist.

If the check fails for a given set of umask values, the username, home directory path, filename, and actual umask value are displayed in the scan results.

Note: Files larger than 10KB are ignored, even if they match the file specifications in this check.

Parameters	Description
User(s)	The list of names to check. Can be a single account name, a comma-delimited list of account names (maximum length = 255 characters), or the keyword ALL (must be capitalized - "all" is treated as a username). The UID cannot be used. Wildcards are not supported. Extra spaces are ignored. All usernames are case-sensitive. Use the NOT operator to specify that all users except the specified ones should be checked. Some valid examples are: `root` `susang, susanh` `root, admin, sysadmin204` `ALL` `NOT: root, admin` Some examples that will not work: `root, 0`
File(s)	The list of files to check. Can be any valid path to a single file, a comma-delimited list of paths to individual files, a single wildcard file path, or a comma-delimited list of wildcard file paths. All paths are relative to the specified user's home directory and cannot start with a slash. Note: The asterisk (*``) and the question mark(`?`*) are the acceptable wildcard characters. The asterisk matches any number of filename characters, and the question mark matches any single character. Some valid examples: `.profile` `.profile, myscripts/.bash_profile` `myscripts/bash_startup` `myscripts/bash_startup?` Some examples that will not work: `/home/susanh/myscripts/.bash_profile` `myscripts/`
Should have umask	Specify the desired `umask` value in octal notation. Wildcards and the NOT operator are supported. The values entered in this field are the values that are acceptable for `umask` commands in matching files. If NOT is used, none of the listed values is acceptable. Some valid examples: `111` `111,027` `01?, 0` `NOT: 025, 022, 020, 01, 00*` Some examples that will not work: `rwxr--r--` `0123`
Remedial Suggestion (optional)	Optional suggestion

Articles in this section

Rule Check: Home Directory Files Have No Invalid umask Commands