From 5e739c36c3d2f829b8a832ac54c5ca1c20e84779 Mon Sep 17 00:00:00 2001 From: tommytran732 Date: Wed, 17 Aug 2022 05:49:41 -0400 Subject: [PATCH] Umask 077 Signed-off-by: tommytran732 --- content/os/Linux-Desktop-Hardening.md | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/content/os/Linux-Desktop-Hardening.md b/content/os/Linux-Desktop-Hardening.md index 00a8efb..bd5e34c 100644 --- a/content/os/Linux-Desktop-Hardening.md +++ b/content/os/Linux-Desktop-Hardening.md @@ -152,6 +152,13 @@ Another option is [Kata containers](https://katacontainers.io/), where virtual m ![opensuse-computer.jpg](/images/opensuse-computer.jpg) +### Umask 077 +If you are not using openSUSE, consider changing the default [umask](https://en.wikipedia.org/wiki/Umask) for both regular user accounts and root to 077. Changing umask to 077 can break snapper on openSUSE and is **not** recommended. + +The configuration for this varies per distribution, but typically it can be set in `/etc/profile`, `/etc/bashrc`, or `/etc/login.defs`. + +Note that unlike on macOS, this will only change the umask for the shell. Files created by running applications will not have their permissions set to 700. + ### Firewalls A [firewall](https://en.wikipedia.org/wiki/Firewall_(computing)) may be used to secure connections to your system. @@ -238,10 +245,6 @@ The [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) f If you are using Whonix, Kicksecure or the AUR package, consider setting up `LD_PRELOAD` as described in the [Kicksecure Documentation](https://www.kicksecure.com/wiki/Hardened_Malloc) or [Arch Wiki](https://wiki.archlinux.org/title/Security#Hardened_malloc). -### Strict UMASK - -If you are not using openSUSE, consider changing the default [umask](https://en.wikipedia.org/wiki/Umask) for both regular user accounts and root to 077. Changing umask to 077 can break snapper on openSUSE and is **not** recommended. - ### Mountpoint Hardening Consider adding the [following options](https://man7.org/linux/man-pages/man8/mount.8.html) `nodev`, `noexec`, and `nosuid` to mountpoints which do not need them. Typically, these could be applied to `/boot`, `/boot/efi`, and `/var`.