To set the default umask to 0027

Purpose

To align with OS-hardening best practices, as defined by the Center for Information Security, or CIS, you can change the default login umask on a RHEL OS instance that hosts an NSP deployer host, NSP cluster node, or NSP component deployed outside the NSP cluster, to restrict file and directory access for non-root users.

Perform this procedure to set the default login umask on an NSP RHEL OS instance to 0027.

CAUTION 

CAUTION

Misconfiguration Risk

Performing the procedure on an NSP station running NSP Release 22.11 or earlier may have undesirable effects that include restricted system access.

You must perform the procedure only on an NSP Release 23.4 or later station.

Steps
 

Log in as the root user on the station.


Open a console window.


Back up the following files to a secure location on a station outside the management network for safekeeping:

  • /etc/bashrc

  • /etc/csh.cshrc

  • /etc/login.defs

  • /etc/profile


Enter the following:

sed -i 's/^\([[:space:]]*\)\(umask\|UMASK\)[[:space:]][[:space:]]*[0-9][0-9][0-9]/\1\2 027/' /etc/bashrc /etc/csh.cshrc /etc/login.defs /etc/profile ↵


Log out.


Log in as the root user.


Enter the following:

umask ↵

The current umask value is displayed.


Verify that the umask value is 0027.


Close the console window.

End of steps