To set the default umask to 0027

Purpose

To align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on a RHEL OS instance that hosts a CLM deployer host, CLM cluster node, or CLM entity deployed outside the CLM cluster, to restrict file and directory access for non-root users.

Perform this procedure to set the default login umask on a RHEL OS instance to 0027.

CAUTION 

CAUTION

Misconfiguration Risk

Performing the procedure on a CLM station running CLM Release 22.11 or earlier may have undesirable effects that include restricted system access.

You must perform the procedure only on a CLM Release 23.4 or later station.

Steps
 

Log in as the root user on the station.


Open a console window.


Back up the following files to a secure location on a station outside the management network for safekeeping:

  • /etc/bashrc

  • /etc/csh.cshrc

  • /etc/login.defs

  • /etc/profile


Enter the following:

sed -i 's/^\([[:space:]]*\)\(umask\|UMASK\)[[:space:]][[:space:]]*[0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/csh.cshrc /etc/login.defs /etc/profile ↵


Log out.


Log in as the root user.


Enter the following:

umask ↵

The current umask value is displayed.


Verify that the umask value is 0027.


Close the console window.

End of steps