OL 8 default permissions must be defined in such a way that all authenticated users can read and modify only their own files.

STIG ID: OL08-00-020351  |  SRG: SRG-OS-000480-GPOS-00228 | Severity: medium |  CCI: CCI-000366

Vulnerability Discussion

Setting the most restrictive default permissions ensures that when new accounts are created, they do not have unnecessary access.

Check

Verify OL 8 defines default permissions for all authenticated users in such a way that the user can read and modify only their own files with the following command:

$ sudo grep -i "umask" /etc/login.defs

UMASK 077

If the "UMASK" variable is set to "000", this is a finding with the severity raised to a CAT I.

If the value of "UMASK" is not set to "077", "UMASK" is commented out, or "UMASK" is missing completely, this is a finding.

Fix

Configure OL 8 to define the default permissions for all authenticated users in such a way that the user can read and modify only their own files.

Edit the "UMASK" parameter in the "/etc/login.defs" file to match the example below:

UMASK 077
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.