f422da8599
Add support for the openSUSE Leap distributions. The security rules are similar to the RedHat and Ubuntu ones. We also replace ansible_os_family with ansible_pkg_mgr since the former does not return consistent results across different SUSE distributions especially on older Ansible versions. Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
1.5 KiB
---id: V-71995 status: opt-in - Ubuntu and SUSE only tag: accounts ---
The STIG requires that the umask for all authenticated users is
077. This ensures that all new files and directories
created by a user are accessible only by that user.
Although this change has a significant security benefit, it can cause problems for users who are not expecting the change. The security role will not adjust the umask by default.
Deployers can opt-in for the change by setting the default umask with an Ansible variable:
security_shadow_utils_umask: 077Note
Ubuntu, openSUSE Leap and SUSE Linux Enterpsise 12 use
pam_umask and it uses the default umask provided by the
UMASK line in /etc/login.defs. The default
setting on Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 systems is
022. This allows the user's group and other users on the
system to read and execute files, but they cannot write to them.
CentOS and Red Hat Enterprise Linux do not use pam_umask
and instead set a default umask of 0002 for regular users
and 0022 for root. This gives the regular user's group full
access to newly created files, but other users cannot write to those
files.
The tasks for this STIG requirement are not currently applied to CentOS and Red Hat Enterprise Linux systems. See Launchpad Bug #1656003 for more details.