* [PATCH] STIG: The system default umask in /etc/login.defs must be 077
@ 2016-04-06 17:01 Alexandru Moise
2016-07-14 7:47 ` Kang Kai
0 siblings, 1 reply; 2+ messages in thread
From: Alexandru Moise @ 2016-04-06 17:01 UTC (permalink / raw)
To: openembedded-core
The umask value influences the permissions assigned to files when they
are created. A misconfigured umask value could result in files with
excessive permissions that can be read and/or written to by unauthorized
users.
Also modify /etc/profile in base-files because the /etc/profile file
overloads the behavior of /etc/login.defs, so if we desire the
functionality provided by setting umask to 077 we should set it in
login.defs to adhere to STIG but also set it in /etc/profile to have the
intended functionality.
Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
---
meta/recipes-core/base-files/base-files/profile | 2 +-
...stem-default-umask-in-etc-login.defs-to-0.patch | 29 ++++++++++++++++++++++
meta/recipes-extended/shadow/shadow.inc | 1 +
3 files changed, 31 insertions(+), 1 deletion(-)
create mode 100644 meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
diff --git a/meta/recipes-core/base-files/base-files/profile b/meta/recipes-core/base-files/base-files/profile
index 53c2680..f48a3c0 100644
--- a/meta/recipes-core/base-files/base-files/profile
+++ b/meta/recipes-core/base-files/base-files/profile
@@ -32,5 +32,5 @@ fi
export PATH PS1 OPIEDIR QPEDIR QTDIR EDITOR TERM
-umask 022
+umask 077
diff --git a/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
new file mode 100644
index 0000000..c0d6ee7
--- /dev/null
+++ b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
@@ -0,0 +1,29 @@
+From dd2295715fabd823f01656cef0393cedc5a4bc34 Mon Sep 17 00:00:00 2001
+From: Alexandru Moise <alexandru.moise@windriver.com>
+Date: Wed, 6 Apr 2016 05:45:58 +0000
+Subject: [PATCH] STIG: set system default umask in /etc/login.defs to 077
+
+Conform to STIG standard:
+https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645
+
+Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
+---
+ etc/login.defs | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/etc/login.defs b/etc/login.defs
+index 8dd7c44..e2a8a65 100644
+--- a/etc/login.defs
++++ b/etc/login.defs
+@@ -190,7 +190,7 @@ KILLCHAR 025
+ # 022 is the default value, but 027, or even 077, could be considered
+ # for increased privacy. There is no One True Answer here: each sysadmin
+ # must make up his/her mind.
+-UMASK 022
++UMASK 077
+
+ #
+ # Password aging controls:
+--
+2.5.0
+
diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
index 4313ffe..9337493 100644
--- a/meta/recipes-extended/shadow/shadow.inc
+++ b/meta/recipes-extended/shadow/shadow.inc
@@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
file://fix-installation-failure-with-subids-disabled.patch \
file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
+ file://0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch \
${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
"
--
2.7.4
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] STIG: The system default umask in /etc/login.defs must be 077
2016-04-06 17:01 [PATCH] STIG: The system default umask in /etc/login.defs must be 077 Alexandru Moise
@ 2016-07-14 7:47 ` Kang Kai
0 siblings, 0 replies; 2+ messages in thread
From: Kang Kai @ 2016-07-14 7:47 UTC (permalink / raw)
To: Alexandru Moise, openembedded-core
On 2016年04月07日 01:01, Alexandru Moise wrote:
> The umask value influences the permissions assigned to files when they
> are created. A misconfigured umask value could result in files with
> excessive permissions that can be read and/or written to by unauthorized
> users.
>
> Also modify /etc/profile in base-files because the /etc/profile file
> overloads the behavior of /etc/login.defs, so if we desire the
> functionality provided by setting umask to 077 we should set it in
> login.defs to adhere to STIG but also set it in /etc/profile to have the
> intended functionality.
>
> Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> ---
Ping.
> meta/recipes-core/base-files/base-files/profile | 2 +-
> ...stem-default-umask-in-etc-login.defs-to-0.patch | 29 ++++++++++++++++++++++
> meta/recipes-extended/shadow/shadow.inc | 1 +
> 3 files changed, 31 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
>
> diff --git a/meta/recipes-core/base-files/base-files/profile b/meta/recipes-core/base-files/base-files/profile
> index 53c2680..f48a3c0 100644
> --- a/meta/recipes-core/base-files/base-files/profile
> +++ b/meta/recipes-core/base-files/base-files/profile
> @@ -32,5 +32,5 @@ fi
>
> export PATH PS1 OPIEDIR QPEDIR QTDIR EDITOR TERM
>
> -umask 022
> +umask 077
>
> diff --git a/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
> new file mode 100644
> index 0000000..c0d6ee7
> --- /dev/null
> +++ b/meta/recipes-extended/shadow/files/0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch
> @@ -0,0 +1,29 @@
> +From dd2295715fabd823f01656cef0393cedc5a4bc34 Mon Sep 17 00:00:00 2001
> +From: Alexandru Moise <alexandru.moise@windriver.com>
> +Date: Wed, 6 Apr 2016 05:45:58 +0000
> +Subject: [PATCH] STIG: set system default umask in /etc/login.defs to 077
> +
> +Conform to STIG standard:
> +https://www.stigviewer.com/stig/red_hat_enterprise_linux_6/2015-05-26/finding/V-38645
> +
> +Signed-off-by: Alexandru Moise <alexandru.moise@windriver.com>
> +---
> + etc/login.defs | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/etc/login.defs b/etc/login.defs
> +index 8dd7c44..e2a8a65 100644
> +--- a/etc/login.defs
> ++++ b/etc/login.defs
> +@@ -190,7 +190,7 @@ KILLCHAR 025
> + # 022 is the default value, but 027, or even 077, could be considered
> + # for increased privacy. There is no One True Answer here: each sysadmin
> + # must make up his/her mind.
> +-UMASK 022
> ++UMASK 077
> +
> + #
> + # Password aging controls:
> +--
> +2.5.0
> +
> diff --git a/meta/recipes-extended/shadow/shadow.inc b/meta/recipes-extended/shadow/shadow.inc
> index 4313ffe..9337493 100644
> --- a/meta/recipes-extended/shadow/shadow.inc
> +++ b/meta/recipes-extended/shadow/shadow.inc
> @@ -16,6 +16,7 @@ SRC_URI = "http://pkg-shadow.alioth.debian.org/releases/${BPN}-${PV}.tar.xz \
> file://fix-installation-failure-with-subids-disabled.patch \
> file://0001-Do-not-read-login.defs-before-doing-chroot.patch \
> file://check_size_of_uid_t_and_gid_t_using_AC_CHECK_SIZEOF.patch \
> + file://0001-STIG-set-system-default-umask-in-etc-login.defs-to-0.patch \
> ${@bb.utils.contains('PACKAGECONFIG', 'pam', '${PAM_SRC_URI}', '', d)} \
> "
>
--
Regards,
Neil | Kai Kang
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-14 7:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-04-06 17:01 [PATCH] STIG: The system default umask in /etc/login.defs must be 077 Alexandru Moise
2016-07-14 7:47 ` Kang Kai
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox