mediumaccess-controlverified ✓rollback-safe
Ensure root user umask is configured
root-umask · RHEL ≥ 8 · 1 impl
Description
The root user's umask should be set to 027 or more restrictive to ensure files created by root are not world-readable by default.
Rationale
A restrictive umask for root prevents sensitive configuration files or logs from being accidentally created with permissive access.
Check → Remediate
Checkcommand
# Check root's effective umask from profile files
umask_val=$(grep -E '^\s*umask\s+[0-7]+' /root/.bashrc /root/.bash_profile /etc/profile /etc/bashrc 2>/dev/null | tail -1 | grep -oE '[0-7]+$')
if [ -z "$umask_val" ]; then
echo "FAIL: No umask configured for root"
exit 1
fi
# Pad to 3 digits if needed
while [ ${#umask_val} -lt 3 ]; do umask_val="0${umask_val}"; done
# Per-digit comparison: each digit must be >= the corresponding digit in 027
u_digit=$(echo "$umask_val" | cut -c1)
g_digit=$(echo "$umask_val" | cut -c2)
o_digit=$(echo "$umask_val" | cut -c3)
if [ "$u_digit" -lt 0 ] || [ "$g_digit" -lt 2 ] || [ "$o_digit" -lt 7 ]; then
echo "FAIL: Root umask ($umask_val) is less restrictive than 027"
exit 1
fi
echo "OK: Root umask is $umask_val"
exit 0
- expected_exit:
- 0
Remediateconfig_set
- path:
- /root/.bashrc
- key:
- umask
- value:
- 027
- separator:
Framework references
CIS
rhel9 5.4.2.6rhel10 5.4.2.6rhel8 5.4.2.6
NIST 800-53
AC-6CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#root#umask#permissions#security