uk-bolly
commented
1 month ago hi @m-j-gardner
Thank you for the feedback and taking the time to raise this issue. Ive gone back and checked the documentation for the benchmark ( i have also checked the online version and this is still teh same with no ticket open for changes needed)
There appears to be two ways to set it.
- with pam_umask.so - using the pam modules or
- settings with systemwide scripts
excerpt
The default umask can be set to use the pam_umask module or in a System Wide Shell Configuration File. The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask by adding the umask command into a User Shell Configuration File, ( .bash_profile or .bashrc), in their home directory.I am taking a look at this, we have chosen to carry out the control for the script and not via the pam.d configuration.
It appears like alot of scanners they don't always align with how the benchmark is written or sometimes alot more brittle checking for things in a certain way but other ways will work. e.g.
value=1
value = 1Happy to go through this further if required.
many thanks
uk-bolly
Question Hi,
I'm in the process of comparing what the CIS hardening script does vs what the AMAZON2023-CIS ansible-lockdown playbook does against an AWS AL2023 EC2 instance by running the playbook, rebooting the host, running the script against it and then having a look at what the script remediates i.e. find stuff that the playbook hasn't done. I'm only running the level1 tasks (it's to convince those upstairs to use the playbook rather than script).
The script appears to be performing an additional check/remediation in "4.6.5 | PATCH | Ensure default user umask is 027 or more restrictive" for some /etc/pam.d files (see output below).
Has this been omitted from the playbook on purpose?
Thanks.
Environment: