|
 |
d10e36 |
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
|
|
|
d10e36 |
From: Watson Sato <wsato@redhat.com>
|
|
|
d10e36 |
Date: Tue, 19 Jan 2021 09:42:26 +0100
|
|
|
d10e36 |
Subject: [PATCH] Add metadata to ANSSI R35
|
|
|
d10e36 |
|
|
|
d10e36 |
Current implementation cannot diferentiate between system and
|
|
|
d10e36 |
standard user umask, they are both set to the same value.
|
|
|
d10e36 |
---
|
|
|
d10e36 |
controls/anssi.yml | 8 ++++++++
|
|
|
d10e36 |
1 file changed, 8 insertions(+)
|
|
|
d10e36 |
|
|
|
d10e36 |
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
|
d10e36 |
index dec9d68c99..621996e985 100644
|
|
|
d10e36 |
--- a/controls/anssi.yml
|
|
|
d10e36 |
+++ b/controls/anssi.yml
|
|
|
d10e36 |
@@ -572,10 +572,18 @@ controls:
|
|
|
d10e36 |
only be read by the user and his group, and be editable only by his owner).
|
|
|
d10e36 |
The umask for users must be set to 0077 (any file created by a user is
|
|
|
d10e36 |
readable and editable only by him).
|
|
|
d10e36 |
+ notes: >-
|
|
|
d10e36 |
+ There is no simple way to check and remediate different umask values for
|
|
|
d10e36 |
+ system and standard users reliably.
|
|
|
d10e36 |
+ The different values are set in a conditional clause in a shell script
|
|
|
d10e36 |
+ (e.g. /etc/profile or /etc/bashrc).
|
|
|
d10e36 |
+ The current implementation checks and fixes both umask to the same value.
|
|
|
d10e36 |
+ automated: partially
|
|
|
d10e36 |
rules:
|
|
|
d10e36 |
- var_accounts_user_umask=077
|
|
|
d10e36 |
- accounts_umask_etc_login_defs
|
|
|
d10e36 |
- accounts_umask_etc_profile
|
|
|
d10e36 |
+ - accounts_umask_etc_bashrc
|
|
|
d10e36 |
|
|
|
d10e36 |
- id: R36
|
|
|
d10e36 |
title: Rights to access sensitive content files
|