To set the default umask to 0027

Purpose

To align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on an NSP component station to restrict file and directory access for non-root users.

Perform this procedure to set the default login umask on an NSP station to 0027.

CAUTION 

CAUTION

Misconfiguration Risk

Performing the procedure on an NSP station running NSP Release 22.11 or earlier may have undesirable effects that include restricted system access.

You must perform the procedure only on an NSP Release 23.4 or later station.

Steps
 

Log in as the root user on the station that hosts the OS.


Open a console window.


Back up the following files to a secure location on a station outside the management network for safekeeping:

  • /etc/bashrc

  • /etc/profile

  • /etc/login.defs


Enter the following:

sed -i 's/^\([[:space:]]*\)\(umask\|UMASK\)[[:space:]][[:space:]]*[0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/profile /etc/login.defs ↵


Log out.


Log in as the root user.


Enter the following:

umask ↵

The current umask value is displayed.


Verify that the umask value is 0027.


Close the console window.

End of steps