diff --git a/debian/control b/debian/control
index 571050a..2e633aa 100644
--- a/debian/control
+++ b/debian/control
@@ -14,7 +14,7 @@ Rules-Requires-Root: no
 
 Package: security-misc
 Architecture: all
-Depends: python3, libglib2.0-bin, libpam-runtime, sudo, adduser, libcap2-bin,
+Depends: python3, libglib2.0-bin, libpam-runtime, libpam-umask, sudo, adduser, libcap2-bin,
  apparmor-profile-dist, helper-scripts, libpam-modules-bin,
  secure-delete, dmsetup, ${misc:Depends}
 Replaces: tcp-timestamps-disable, anon-gpg-tweaks, swappiness-lowest
diff --git a/usr/share/pam-configs/umask-security-misc b/usr/share/pam-configs/umask-security-misc
new file mode 100644
index 0000000..6dfe387
--- /dev/null
+++ b/usr/share/pam-configs/umask-security-misc
@@ -0,0 +1,7 @@
+Name: Restrict umask to 027 (by package security-misc)
+Default: yes
+Priority: 100
+Session-Type: Additional
+Session-Interactive-Only: yes
+Session:
+	optional	pam_umask.so umask=027