← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure root user umask is configured

root-umask · RHEL ≥ 8 · 1 impl

Description

The root user's umask should be set to 027 or more restrictive to ensure files created by root are not world-readable by default.

Rationale

A restrictive umask for root prevents sensitive configuration files or logs from being accidentally created with permissive access.

Check → Remediate

Checkcommand
# Check root's effective umask from profile files
umask_val=$(grep -E '^\s*umask\s+[0-7]+' /root/.bashrc /root/.bash_profile /etc/profile /etc/bashrc 2>/dev/null | tail -1 | grep -oE '[0-7]+$')
if [ -z "$umask_val" ]; then
  echo "FAIL: No umask configured for root"
  exit 1
fi
# Pad to 3 digits if needed
while [ ${#umask_val} -lt 3 ]; do umask_val="0${umask_val}"; done
# Per-digit comparison: each digit must be >= the corresponding digit in 027
u_digit=$(echo "$umask_val" | cut -c1)
g_digit=$(echo "$umask_val" | cut -c2)
o_digit=$(echo "$umask_val" | cut -c3)
if [ "$u_digit" -lt 0 ] || [ "$g_digit" -lt 2 ] || [ "$o_digit" -lt 7 ]; then
  echo "FAIL: Root umask ($umask_val) is less restrictive than 027"
  exit 1
fi
echo "OK: Root umask is $umask_val"
exit 0
expected_exit:
0
Remediateconfig_set
path:
/root/.bashrc
key:
umask
value:
027
separator:

Framework references

CIS

rhel9 5.4.2.6rhel10 5.4.2.6rhel8 5.4.2.6

NIST 800-53

AC-6CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#root#umask#permissions#security