Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

5.6.5 Ensure default user umask is 027 or more restrictive: CIS-CAT check fails. #107

Closed
brisky opened this issue Oct 31, 2023 · 4 comments · Fixed by #112
Closed

5.6.5 Ensure default user umask is 027 or more restrictive: CIS-CAT check fails. #107

brisky opened this issue Oct 31, 2023 · 4 comments · Fixed by #112
Assignees
Labels
bug Something isn't working question Further information is requested

Comments

@brisky
Copy link
Contributor

brisky commented Oct 31, 2023

Describe the Issue
CIS-CAT fails for this test, because it expects an entry
session required pam_umask.so'
in /etc/pam.d/system-auth

Remediation does not cover issue.

Expected Behavior
CIS-CAT Assessment pass.

Actual Behavior
CIS-CAT Assessment fail.

Control(s) Affected
5.6.5 Ensure default user umask is 027 or more restrictive.

Environment :

  • branch being used: devel
  • Ansible Version: 2.15.4
  • Host Python Version: 3.9.6
  • Ansible Server Python Version: 3.9.16
  • Additional Details: N/A

Additional Notes
N/A

Possible Solution
Fix on cis_5.6.x.yml

      - name: "5.6.5 | PATCH | Ensure default user umask is 027 or more restrictive | Force umask on sessions /etc/pam.d/system-auth"
        ansible.builtin.lineinfile:
            path: /etc/pam.d/system-auth
            line: 'session     required            pam_umask.so'
            insertafter: EOF
@brisky brisky added the bug Something isn't working label Oct 31, 2023
@brisky brisky closed this as completed Oct 31, 2023
@brisky brisky reopened this Oct 31, 2023
@uk-bolly
Copy link
Member

hi @brisky

Im afraid this is another one of the false positives i believe, for this control there is two documented ways of doing it. We have chosen to do the second way with a script. In this case we could create a whole new optional plan that its to the used to decide which way to implement it. But i believe the scanners still checks for both?

Example:
Run the following command and remove or modify the umask of any returned files: Follow one of the following methods to set the default user umask:
Edit /etc/login.defs and edit the UMASK and USERGROUPS_ENAB lines as follows:
Edit the files /etc/pam.d/password-auth and /etc/pam.d/system-auth and add or edit
the following:
session     optional      pam_umask.so

OR Configure umask in one of the following files:

• A file in the /etc/profile.d/ directory ending in .sh
• /etc/profile
• /etc/bashrc

Example: /etc/profile.d/set_umask.sh
umask 027

I hope that helps?

thanks

uk-bolly

@brisky
Copy link
Contributor Author

brisky commented Oct 31, 2023

Yes, the scanner still checks for both, that's why.

@uk-bolly
Copy link
Member

hi @brisky

Thank you for confirming, so it is checking for both but only one requires setting to adhere to their baseline.
I will look to see if we can add the user option as mentioned, this will be added to the current work load.

many thanks

uk-bolly

@uk-bolly uk-bolly self-assigned this Jan 18, 2024
@uk-bolly uk-bolly added the question Further information is requested label Jan 18, 2024
@uk-bolly
Copy link
Member

hi @brisky

Getting chance to look at this again, no matter what we do, we could apply one way or the other. The scanner will still give out a false positive, unless you are able to configure it to pass if one of the methods passes?
So as this currently stands unless we add more config and another option to allow uses to configure how they like. This will still have no impact on the false positive.

I don't believe as it stands thats this is a bug as one of the required methods is being adhered to.
We would just be trying to solve another products issue.

thanks

uk-bolly

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working question Further information is requested
Projects
None yet
2 participants