35 lines
1.3 KiB
Diff
35 lines
1.3 KiB
Diff
From cb299dd0ce870d55cb530bc5e5ad9a9f52734bf4 Mon Sep 17 00:00:00 2001
|
|
From: Watson Sato <wsato@redhat.com>
|
|
Date: Tue, 19 Jan 2021 09:42:26 +0100
|
|
Subject: [PATCH] Add metadata to ANSSI R35
|
|
|
|
Current implementation cannot diferentiate between system and
|
|
standard user umask, they are both set to the same value.
|
|
---
|
|
controls/anssi.yml | 8 ++++++++
|
|
1 file changed, 8 insertions(+)
|
|
|
|
diff --git a/controls/anssi.yml b/controls/anssi.yml
|
|
index dec9d68c99..621996e985 100644
|
|
--- a/controls/anssi.yml
|
|
+++ b/controls/anssi.yml
|
|
@@ -572,10 +572,18 @@ controls:
|
|
only be read by the user and his group, and be editable only by his owner).
|
|
The umask for users must be set to 0077 (any file created by a user is
|
|
readable and editable only by him).
|
|
+ notes: >-
|
|
+ There is no simple way to check and remediate different umask values for
|
|
+ system and standard users reliably.
|
|
+ The different values are set in a conditional clause in a shell script
|
|
+ (e.g. /etc/profile or /etc/bashrc).
|
|
+ The current implementation checks and fixes both umask to the same value.
|
|
+ automated: partially
|
|
rules:
|
|
- var_accounts_user_umask=077
|
|
- accounts_umask_etc_login_defs
|
|
- accounts_umask_etc_profile
|
|
+ - accounts_umask_etc_bashrc
|
|
|
|
- id: R36
|
|
title: Rights to access sensitive content files
|