-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
5.6.5 Ensure default user umask is 027 or more restrictive: CIS-CAT check fails. #107
Comments
hi @brisky Im afraid this is another one of the false positives i believe, for this control there is two documented ways of doing it. We have chosen to do the second way with a script. In this case we could create a whole new optional plan that its to the used to decide which way to implement it. But i believe the scanners still checks for both?
I hope that helps? thanks uk-bolly |
Yes, the scanner still checks for both, that's why. |
hi @brisky Thank you for confirming, so it is checking for both but only one requires setting to adhere to their baseline. many thanks uk-bolly |
hi @brisky Getting chance to look at this again, no matter what we do, we could apply one way or the other. The scanner will still give out a false positive, unless you are able to configure it to pass if one of the methods passes? I don't believe as it stands thats this is a bug as one of the required methods is being adhered to. thanks uk-bolly |
Describe the Issue
CIS-CAT fails for this test, because it expects an entry
session required pam_umask.so'
in
/etc/pam.d/system-auth
Remediation does not cover issue.
Expected Behavior
CIS-CAT Assessment pass.
Actual Behavior
CIS-CAT Assessment fail.
Control(s) Affected
5.6.5 Ensure default user umask is 027 or more restrictive.
Environment :
Additional Notes
N/A
Possible Solution
Fix on cis_5.6.x.yml
The text was updated successfully, but these errors were encountered: