starlingx/config-files
Code Issues Proposed changes
config-files/base-files-config/debian/deb_folder/rules
Rahul Roshan Kachchap 574ac507da Setting a secure umask value 
As part of CIS 5.4.2.6:Ensure root user umask is configured,
We have set umask 027 in both /root/.bash_profile and /root/.bashrc,
which ensures that:
- New files created by the root user will have default permissions
  of 640
- New directories created by the root user will have permissions
  of 750

According to the control, setting umask 027 in these files is a
secure practice and meets the guideline for ensuring that root
user files and directories aren’t excessively permissive.

TestPlan
PASS: build-pkgs -c -p base-files-config
PASS: build-image
PASS: bootstrap
PASS: CIS benchmark SCAN
PASS: Verify umask value for root user
      - Log in as root or switch to root
      - Check the umask value by running command `umask`
      - The output/value should be : 0027
PASS: Verify permissions for a newly created file
      - As the root user, create a new file:
        `touch /root/testfile`
      - The output should show -rw-r----- (640 permissions)
PASS: Verify permissions for a newly created directory
      - As the root user, create a new directory:
        `mkdir /root/testdir`
      - The output should show drwxr-x--- (750 permissions)
PASS: Verify That umask persists across new sessions

Story: 2011295
Task: 51390

Change-Id: I4f50f0a8ea626ccefd1f8e958cb5032fdf362992
Signed-off-by: Rahul Roshan Kachchap <rahulroshan.kachchap@windriver.com>
2025-01-31 00:54:26 -05:00

21 lines
916 B
Makefile
Raw Blame History

#!/usr/bin/make -f
# See debhelper(7) (uncomment to enable)
# output every command that modifies files on the build system.
#export DH_VERBOSE = 1
ROOT := $(CURDIR)/debian/tmp
%:
dh $@
override_dh_install:
install -p -D -m 644 custom.sh ${ROOT}/etc/profile.d/custom.sh
install -p -D -m 644 prompt.sh ${ROOT}/etc/profile.d/prompt.sh
install -p -D -m 644 umask.sh ${ROOT}/etc/profile.d/umask.sh
install -p -D -m 644 cron-cpu-shares.conf ${ROOT}/etc/systemd/system/cron.service.d/cron-cpu-shares.conf
install -p -D -m 644 rsync-cpu-shares.conf ${ROOT}/etc/systemd/system/rsync.service.d/rsync-cpu-shares.conf
install -p -D -m 644 vimrc.local ${ROOT}/etc/vim/vimrc.local
install -p -D -m 644 motd ${ROOT}/usr/share/starlingx/base-files/motd
install -p -D -m 644 profile ${ROOT}/usr/share/starlingx/base-files/profile
dh_install
View Git Blame Copy Permalink