diff --git a/components/bash.yml b/components/bash.yml
index 9aac203b60d..f47e7db605c 100644
--- a/components/bash.yml
+++ b/components/bash.yml
@@ -3,3 +3,4 @@ packages:
- bash
rules:
- accounts_umask_etc_bashrc
+- accounts_umask_root
diff --git a/components/pam.yml b/components/pam.yml
index 18c646618bd..c9402fce8c3 100644
--- a/components/pam.yml
+++ b/components/pam.yml
@@ -92,6 +92,7 @@ rules:
- accounts_umask_etc_login_defs
- accounts_umask_etc_profile
- accounts_umask_interactive_users
+- accounts_umask_root
- accounts_user_dot_group_ownership
- accounts_user_dot_no_world_writable_programs
- accounts_user_dot_user_ownership
diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index 6789367a0a1..eb170820541 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -2167,8 +2167,9 @@ controls:
levels:
- l1_server
- l1_workstation
- status: planned
- notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+ rules:
+ - accounts_umask_root
+ status: automated
- id: 5.4.2.7
title: Ensure system accounts do not have a valid login shell (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh
new file mode 100644
index 00000000000..2e428131e18
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/bash/shared.sh
@@ -0,0 +1,3 @@
+# platform = multi_platform_all
+
+sed -i -E -e "s/^([^#]*\bumask)[[:space:]]+[[:digit:]]+/\1 0027/g" /root/.bashrc /root/.profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml
new file mode 100644
index 00000000000..01a2608bc6f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/oval/shared.xml
@@ -0,0 +1,21 @@
+
+
+ {{{ oval_metadata("The umask for root user of the bash shell") }}}
+
+
+
+
+
+
+ ^(/root/.bashrc|/root/.profile)$
+ ^[^#]*\bumask\s+[0-7]?[0-7]([0-1][0-7]|[0-7][0-6])\s*$
+ 1
+
+
+
+
+
+
+
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml
new file mode 100644
index 00000000000..cf4a34d68f4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/rule.yml
@@ -0,0 +1,18 @@
+documentation_complete: true
+
+title: 'Ensure the Root Bash Umask is Set Correctly'
+
+description: |-
+ To ensure the root user's umask of the Bash shell is set properly,
+ add or correct the umask setting in /root/.bashrc
+ or /root/.bashrc to read as follows:
+ umask 0027
+
+rationale: |-
+ The umask value influences the permissions assigned to files when they are created.
+ A misconfigured umask value could result in files with excessive permissions that can be read or
+ written to by unauthorized users.
+
+severity: medium
+
+platform: package[bash]
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh
new file mode 100644
index 00000000000..91faf04839a
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/commented.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "# umask 0022" >> /root/.bashrc
+
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh
new file mode 100644
index 00000000000..29026a5f21f
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_bashrc.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 0027" >> /root/.bashrc
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh
new file mode 100644
index 00000000000..620dbc9c4d4
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/correct_profile.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 0027" >> /root/.profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh
new file mode 100644
index 00000000000..ccc049a4d76
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 0022" >> /root/.profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh
new file mode 100644
index 00000000000..50fab84e3c7
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient2.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 0017" >> /root/.profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh
new file mode 100644
index 00000000000..365ba205150
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_bashrc_correct_profile.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 0000" >> /root/.bashrc
+echo "umask 0027" >> /root/.profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh
new file mode 100644
index 00000000000..1278e99d4d9
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/lenient_threedigit.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 022" >> /root/.profile
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh
new file mode 100644
index 00000000000..23af6a9487e
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/missing.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+
diff --git a/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh
new file mode 100644
index 00000000000..916ea2ed59d
--- /dev/null
+++ b/linux_os/guide/system/accounts/accounts-session/user_umask/accounts_umask_root/tests/strict.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+sed '/umask/d' -i /root/.bashrc /root/.profile
+echo "umask 0777" >> /root/.profile