uk-bolly
commented
2 months ago hi @ipruteanu-sie
As always thank you for the feedback and thank you for raising this, I have gone back through the requirements for this control again and it doesn't mention the pam.d files at all in either the current live version 1.0.0 for control 5.6.5 or the just released 2.0.0 for control 5.4.3.3 (this is the new ID for the same control) I'm afraid again this looks like a scanner is not aligned with the written benchmark. We are seeing more and more that scanners are not aligning with benchmarks especially for CIS.
FYI excerpt from benchmark v1.0.0
The default umask can be set to use the pam_umask module or in a System Wide Shell Configuration File. The user creating the directories or files has the discretion of changing the permissions via the chmod command, or choosing a different default umask by adding the umask command into a User Shell Configuration File, ( .bash_profile or .bashrc), in their home directory.
Setting the default umask:
pam_umask module:
will set the umask according to the system default in /etc/login.defs and user settings, solving the problem of different umask settings with different shells, display managers, remote sessions etc.
umask=<mask> value in the /etc/login.defs file is interpreted as Octal
Setting USERGROUPS_ENAB to yes in /etc/login.defs (default):
will enable setting of the umask group bits to be the same as owner bits. (examples: 022 -> 002, 077 -> 007) for non-root users, if the uid is the same as gid, and username is the same as the <primary group name>
userdel will remove the user's group if it contains no more members, and useradd will create by default a group with the name of the user
System Wide Shell Configuration File:
/etc/profile - used to set system wide environmental variables on users shells. The variables are sometimes the same ones that are in the .bash_profile, however this file is used to set an initial PATH or PS1 for all shell users of the system. is only executed for interactive login shells, or shells executed with the --login parameter.
/etc/profile.d - /etc/profile will execute the scripts within /etc/profile.d/*.sh. It is recommended to place your configuration in a shell script within /etc/profile.d to set your own system wide environmental variables.
/etc/bashrc - System wide version of .bashrc. In Fedora derived distributions, etc/bashrc also invokes /etc/profile.d/*.sh if non-login shell, but redirects output to /dev/null if non-interactive. Is only executed for interactive shells or if BASH_ENV is set to /etc/bashrc.
User Shell Configuration Files:
~/.bash_profile - Is executed to configure your shell before the initial command prompt. Is only read by login shells.
~/.bashrc - Is executed for interactive shells. only read by a shell that's both interactive and non-loginWe try to follow what the benchmark actually states (unless we see a bug or made aware and then we add notes to the effect).
Many thanks
uk-bolly
Describe the Issue 5.6.5 Ensure default user umask is 027 or more restrictive rule does not handle the pam section
Expected Behavior CIS pass
Actual Behavior CIS failure
Control(s) Affected 5.6.5
Environment (please complete the following information):
Additional Notes
Possible Solution PR will follow