UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

"At" jobs must not set the umask to a value less restrictive than 077.


Overview

Finding ID Version Rule ID IA Controls Severity
V-4366 GEN003440 SV-34996r1_rule ECCD-1 ECCD-2 Medium
Description
The umask controls the default access mode assigned to newly created files. An umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit number, the first digit representing special access modes is typically ignored or required to be 0.
STIG Date
HP-UX 11.23 Security Technical Implementation Guide 2015-06-12

Details

Check Text ( C-34871r1_chk )
Determine what at jobs exist on the system.
Procedure:

# ls /var/spool/cron/atjobs

If there are no at jobs present, this is not applicable.

Determine if any of the at jobs or any scripts referenced execute the umask command. Check for any umask setting more permissive than 077.

# grep -n umask

If any at job or referenced script sets umask to a value more permissive than 077, this is a finding.

NOTE: The at facility will set the execution environment umask to 022. A grep of the at file will normally yield a line in the file that may look like umask 2. When examining any at job command file, this should not be mistaken for a user defined umask (re-)setting.
Fix Text (F-30201r1_fix)
Edit at jobs or referenced scripts to remove umask commands setting the umask value more permissive than 077.