diff --git a/cdist/conf/type/__acl/explorer/acl_is b/cdist/conf/type/__acl/explorer/acl_is
index 4dc98c51..e2ae0932 100755
--- a/cdist/conf/type/__acl/explorer/acl_is
+++ b/cdist/conf/type/__acl/explorer/acl_is
@@ -19,5 +19,8 @@
 #
 
 if [ -e "/$__object_id" ]
-then getfacl "/$__object_id" | grep -E '^((default:|)(user|group)):[a-z]' || true
+then
+    getfacl "/$__object_id" 2>/dev/null \
+        | grep -E '^((default:)?(user|group):[^:]|(default:)?mask::)' \
+        || true
 fi
diff --git a/cdist/conf/type/__acl/gencode-remote b/cdist/conf/type/__acl/gencode-remote
index a59d49e0..8ab7b566 100755
--- a/cdist/conf/type/__acl/gencode-remote
+++ b/cdist/conf/type/__acl/gencode-remote
@@ -37,13 +37,24 @@ do
         then echo "default:$parameter:$l"
         fi
     done < "$__object/parameter/$parameter"
-done )"
+done
+if [ -f "$__object/parameter/mask" ]
+then
+    l=$( cat "$__object/parameter/mask" )
+
+    echo "mask::$l"
+
+    if [ -f "$__object/parameter/default" ]
+    then echo "default:mask::$l"
+    fi
+fi
+)"
 
 setfacl_exec='setfacl'
 
 if [ -f "$__object/parameter/recursive" ]
 then
-    if echo "$os" | grep -E 'macosx|netbsd|freebsd|openbsd'
+    if echo "$os" | grep -Eq 'macosx|netbsd|freebsd|openbsd'
     then
         echo "$os setfacl do not support recursive operations" >&2
     else
@@ -53,7 +64,7 @@ fi
 
 if [ -f "$__object/parameter/remove" ]
 then
-    if echo "$os" | grep 'solaris'
+    if echo "$os" | grep -Fq 'solaris'
     then
         # Solaris setfacl behaves differently.
         # We will not support Solaris for now, because no way to test it.
diff --git a/cdist/conf/type/__acl/man.rst b/cdist/conf/type/__acl/man.rst
index 39db4d75..c10ee1a0 100644
--- a/cdist/conf/type/__acl/man.rst
+++ b/cdist/conf/type/__acl/man.rst
@@ -13,6 +13,12 @@ ACL must be defined as 3-symbol combination, using `r`, `w`, `x` and `-`.
 See setfacl(1) and acl(5) for more details.
 
 
+OPTIONAL PARAMETERS
+-------------------
+mask
+   Add mask ACL entry.
+
+
 OPTIONAL MULTIPLE PARAMETERS
 ----------------------------
 user
@@ -46,7 +52,8 @@ EXAMPLES
         --user alice:rwx \
         --user bob:r-x \
         --group project-group:rwx \
-        --group some-other-group:r-x
+        --group some-other-group:r-x \
+        --mask r-x
 
 
 AUTHORS
diff --git a/cdist/conf/type/__acl/parameter/optional b/cdist/conf/type/__acl/parameter/optional
new file mode 100644
index 00000000..bb4fcf2b
--- /dev/null
+++ b/cdist/conf/type/__acl/parameter/optional
@@ -0,0 +1 @@
+mask