AlmaLinux OS 9 must set the umask value to 077 for all local interactive user accounts.

STIG ID: ALMA-09-017510  |  SRG: SRG-OS-000480-GPOS-00228 |  Severity: medium |  CCI: CCI-000366 |  Vulnerability Id: V-269234

Vulnerability Discussion

Setting the most restrictive default permissions ensures that when new accounts are created they do not have unnecessary access.

With a UMASK of 077, files will be created with 0600 permissions (owner read/write only) and directories will have 0700 permissions (owner read/write/execute only).

Check

Verify that the default umask for all local interactive users is "077".

Identify the locations of all local interactive user home directories by looking at the "/etc/passwd" file.

Check all local interactive user initialization files for interactive users with the following command:

Note: The example is for a system that is configured to create users home directories in the "/home" directory.

$ grep -ir umask /home | grep -v '.bash_history'

If any local interactive user initialization files are found to have a umask statement that sets a value less restrictive than "077", this is a finding.

Fix

Remove the umask statement from all local interactive user's initialization files.

If the account is for an application, the requirement for a umask less restrictive than "077" can be documented with the information system security officer (ISSO), but the user agreement for access to the account must specify that the local interactive user must first log on to their account and then switch the user to the application account with the correct option to gain the account's environment variables.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.