To set the default umask to 0027

Purpose

To align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on a RHEL OS instance that hosts a CLM deployer host, CLM cluster node, or CLM entity deployed outside the CLM cluster, to restrict file and directory access for non-root users.

Perform this procedure to set the default login umask on a RHEL OS instance to 0027.

CAUTION

Misconfiguration Risk

Performing the procedure on a CLM station running CLM Release 22.11 or earlier may have undesirable effects that include restricted system access.

You must perform the procedure only on a CLM Release 23.4 or later station.

Steps


1	Log in as the root user on the station.
2	Open a console window.
3	Back up the following files to a secure location on a station outside the management network for safekeeping: /etc/bashrc /etc/csh.cshrc /etc/login.defs /etc/profile
4	Enter the following: `#` `sed -i 's/^\([[:space:]]\)\(umask\\|UMASK\)[[:space:]][[:space:]][0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/csh.cshrc /etc/login.defs /etc/profile ↵`
5	Log out.
6	Log in as the root user.
7	Enter the following: `#` `umask ↵` The current umask value is displayed.
8	Verify that the umask value is 0027.
9	Close the console window. End of steps