Cron programs must not set the umask to a value less restrictive than 077.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-4360	GEN003220	SV-64337r2_rule		Low

Description
The umask controls the default access mode assigned to newly created files. A umask of 077 limits new files to mode 700 or less permissive. Although umask is often represented as a 4-digit octal number, the first digit representing special access modes is typically ignored or required to be 0.

STIG	Date
Oracle Linux 5 Security Technical Implementation Guide	2017-05-18

Details

Check Text ( C-52743r5_chk )
Determine if there are any crontabs by viewing a long listing of the directory. If there are crontabs, examine them to determine what cron jobs exist. Check for any programs specifying a umask more permissive than 077: Procedure: # ls -lL /var/spool/cron # ls -lL /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly or # ls -lL /etc/cron.*\|grep -v deny # cat # grep umask If there are no cron jobs present, this vulnerability is not applicable. If any cron job contains a umask more permissive than 077, this is a finding.

Check Text ( C-52743r5_chk )

Determine if there are any crontabs by viewing a long listing of the directory. If there are crontabs, examine them to determine what cron jobs exist. Check for any programs specifying a umask more permissive than 077:

Procedure:

# ls -lL /var/spool/cron

# ls -lL /etc/cron.d /etc/cron.daily /etc/cron.hourly /etc/cron.monthly /etc/cron.weekly
or
# ls -lL /etc/cron.*|grep -v deny

# cat
# grep umask

If there are no cron jobs present, this vulnerability is not applicable. If any cron job contains a umask more permissive than 077, this is a finding.

Fix Text (F-54923r1_fix)
Edit cron script files and modify the umask to 077.