To set the default umask to 0027

Purpose

To align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on a RHEL OS instance that hosts an NSP deployer host, NSP cluster node, or NSP component deployed outside the NSP cluster, to restrict file and directory access for non-root users.

Perform this procedure to set the default login umask on an NSP RHEL OS instance to 0027.

CAUTION

Misconfiguration Risk

Performing the procedure on a RHEL OS that hosts NSP Release 22.11 or earlier software may have undesirable effects that include restricted system access.

You must perform the procedure only on a RHEL OS instance that hosts Release 23.4 or later NSP software.

Steps


1	Log in as the root user on the station that hosts the OS.
2	Open a console window.
3	Back up the following files to a secure location on a station outside the management network for safekeeping: /etc/bashrc /etc/profile /etc/login.defs
4	Enter the following: `#` `sed -i 's/^\([[:space:]]\)\(umask\\|UMASK\)[[:space:]][[:space:]][0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/profile /etc/login.defs ↵`
5	Log out.
6	Log in as the root user.
7	Enter the following: `#` `umask ↵` The current umask value is displayed.
8	Verify that the umask value is 0027.
9	Close the console window. End of steps