Merge pull request dev-sec#351 from sprat/fix-umask

make the os_env_umask variable usable

roles/os_hardening/README.md

@@ -86,8 +86,8 @@ We know that this is the case on Raspberry Pi.
   - Default: `[]`
   - Description: add additional paths to the user's `PATH` variable (default is empty).
 - `os_env_umask`
-  - Default: `027`
-  - Description: set default permissions for new files to `750`
+  - Default: `027` or `077` depending on the platform.
+  - Description: set default permissions for new files to `750` or `700`.
 - `os_auth_pw_max_age`
   - Default: `60`
   - Description: maximum password age (set to `99999` to effectively disable it)

roles/os_hardening/defaults/main.yml

@@ -271,6 +271,9 @@ os_filesystem_whitelist: []
 # the Ansible role dependency mechanism.
 os_hardening_enabled: true
 
+# Set the umask you want to apply, or leave empty to use the defaults.
+os_env_umask: ''
+
 # Set to false to disable installing and configuring auditd.
 os_auditd_enabled: true
 os_auditd_max_log_file_action: keep_logs

roles/os_hardening/templates/etc/login.defs.j2

@@ -92,7 +92,7 @@ KILLCHAR          025
 # Prefix these values with `0` to get octal, `0x` to get hexadecimal.
 # `022` is the "historical" value in Debian for UMASK
 # `027`, or even `077`, could be considered better for privacy.
-UMASK             {{ os_env_umask }}
+UMASK             {{ os_env_umask | default(os_env_umask_default, true) }}
 
 # Enable setting of the umask group bits to be the same as owner bits (examples: `022` -> `002`, `077` -> `007`) for non-root users, if the uid is the same as gid, and username is the same as the primary group name.
 # If set to yes, userdel will remove the user´s group if it contains no more members, and useradd will create by default a group with the name of the user.

roles/os_hardening/vars/Archlinux.yml

@@ -12,7 +12,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask: '027'
+os_env_umask_default: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Debian.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask: '027'
+os_env_umask_default: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Fedora.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask: '027'
+os_env_umask_default: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Oracle Linux.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask: '077'
+os_env_umask_default: '077'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/RedHat.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask: '077'
+os_env_umask_default: '077'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000

roles/os_hardening/vars/Suse.yml

@@ -18,7 +18,7 @@ os_passwd_perms:
   group: root
   mode: '0644'
 
-os_env_umask: '027'
+os_env_umask_default: '027'
 
 os_auth_uid_min: 1000
 os_auth_gid_min: 1000