Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users

ComplianceAsCode · Dec 12, 2024 · 62527ea · 62527ea
1 parent e7eb734
commit 62527ea
Show file tree

Hide file tree

Showing 5 changed files with 26 additions and 69 deletions.
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml
@@ -4,8 +4,9 @@ documentation_complete: true
 title: Ensure that /etc/at.deny exists
 
 description: |-
-    The file <tt>/etc/at.deny</tt> should exist and should be used instead
-    of <tt>/etc/at.deny</tt>.
+    The file <tt>/etc/at.access</tt> should exist and should be used instead
+    of <tt>/etc/at.deny</tt>. But if at.deny is used, it should exist and have the correct
+    permisisons and owner.
 
 rationale: |-
     On many systems, only the system administrator is authorized to schedule at jobs.
@@ -15,7 +16,7 @@ rationale: |-
 
 severity: medium
 
-ocil_clause: 'the file /etc/at.deny does not exist'
+ocil_clause: 'the file /etc/at.deny exists'
 
 ocil: |-
     The file <tt>/etc/at.deny</tt> should exist.

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml
@@ -1,40 +1,25 @@
 documentation_complete: true
 
-title: 'Verify Group Who Owns /etc/at.allow file'
+title: 'Verify Group Who Owns /etc/at.deny file'
 
 description: |-
-    If <tt>/etc/at.allow</tt> exists, it must be group-owned by <tt>root</tt>.
-    {{{ describe_file_group_owner(file="/etc/at.allow", group="root") }}}
+    If <tt>/etc/at.deny</tt> exists, it must be group-owned by <tt>root</tt>.
+    {{{ describe_file_group_owner(file="/etc/at.deny", group="root") }}}
 
 rationale: |-
-    If the owner of the at.allow file is not set to root, the possibility exists for an
+    If the owner of the at.deny file is not set to root, the possibility exists for an
     unauthorized user to view or edit sensitive information.
 
 severity: medium
 
-identifiers:
-    cce@rhel8: CCE-87102-0
-    cce@rhel9: CCE-87103-8
-    cce@rhel10: CCE-90598-4
-    cce@sle12: CCE-91685-8
-    cce@sle15: CCE-91315-2
-    cce@slmicro5: CCE-93928-0
-
-references:
-    cis@sle12: 5.1.9
-    cis@sle15: 5.1.9
-    cis@slmicro5: 5.1.9
-    cis@ubuntu2004: 5.1.9
-    cis@ubuntu2204: 5.1.9
-
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.allow", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.deny", group="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/at.allow", group="root") }}}
+    {{{ ocil_file_group_owner(file="/etc/at.deny", group="root") }}}
 
 template:
     name: file_groupowner
     vars:
-        filepath: /etc/at.allow
+        filepath: /etc/at.deny
         missing_file_pass: 'true'
         gid_or_name: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml
@@ -1,41 +1,27 @@
 documentation_complete: true
 
 
-title: 'Verify User Who Owns /etc/at.allow file'
+title: 'Verify User Who Owns /etc/at.deny file'
 
 description: |-
-    If <tt>/etc/at.allow</tt> exists, it must be owned by <tt>root</tt>.
-    {{{ describe_file_owner(file="/etc/at.allow", owner="root") }}}
+    If <tt>/etc/at.deny</tt> exists, it must be owned by <tt>root</tt>.
+    {{{ describe_file_owner(file="/etc/at.deny", owner="root") }}}
 
 rationale: |-
-    If the owner of the at.allow file is not set to root, the possibility exists for an
+    If the owner of the at.deny file is not set to root, the possibility exists for an
     unauthorized user to view or edit sensitive information.
 
 severity: medium
 
-identifiers:
-    cce@rhel8: CCE-86345-6
-    cce@rhel9: CCE-86346-4
-    cce@rhel10: CCE-88524-4
-    cce@sle12: CCE-91687-4
-    cce@sle15: CCE-91317-8
-    cce@slmicro5: CCE-93927-2
 
-references:
-    cis@sle12: 5.1.9
-    cis@sle15: 5.1.9
-    cis@slmicro5: 5.1.9
-    cis@ubuntu2004: 5.1.9
-    cis@ubuntu2204: 5.1.9
-
-ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.allow", owner="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.deny", owner="root") }}}'
 
 ocil: |-
-    {{{ ocil_file_owner(file="/etc/at.allow", owner="root") }}}
+    {{{ ocil_file_owner(file="/etc/at.deny", owner="root") }}}
 
 template:
     name: file_owner
     vars:
-        filepath: /etc/at.allow
+        filepath: /etc/at.deny
         missing_file_pass: 'true'
         fileuid: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml
@@ -1,6 +1,6 @@
 documentation_complete: true
 
-title: 'Verify Permissions on /etc/at.allow file'
+title: 'Verify Permissions on /etc/at.deny file'
 
 {{%  if 'rhel' not in product %}}
     {{% set target_perms_octal="0640" %}}
@@ -11,40 +11,25 @@ title: 'Verify Permissions on /etc/at.allow file'
 {{% endif %}}
 
 description: |-
-    If <tt>/etc/at.allow</tt> exists, it must have permissions <tt>{{{ target_perms_octal }}}</tt>
+    If <tt>/etc/at.deny</tt> exists, it must have permissions <tt>{{{ target_perms_octal }}}</tt>
     or more restrictive.
 
-    {{{ describe_file_permissions(file="/etc/at.allow", perms=target_perms_octal) }}}
+    {{{ describe_file_permissions(file="/etc/at.deny", perms=target_perms_octal) }}}
 
 rationale: |-
-    If the permissions of the at.allow file are not set to {{{ target_perms_octal }}} or more restrictive,
+    If the permissions of the at.deny file are not set to {{{ target_perms_octal }}} or more restrictive,
     the possibility exists for an unauthorized user to view or edit sensitive information.
 
 severity: medium
 
-identifiers:
-    cce@rhel8: CCE-86903-2
-    cce@rhel9: CCE-86904-0
-    cce@rhel10: CCE-90283-3
-    cce@sle12: CCE-91689-0
-    cce@sle15: CCE-91319-4
-    cce@slmicro5: CCE-93926-4
-
-references:
-    cis@sle12: 5.1.9
-    cis@sle15: 5.1.9
-    cis@slmicro5: 5.1.9
-    cis@ubuntu2004: 5.1.9
-    cis@ubuntu2204: 5.1.9
-
-ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.allow", perms=target_perms) }}}'
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.deny", perms=target_perms) }}}'
 
 ocil: |-
-    {{{ ocil_file_permissions(file="/etc/at.allow", perms=target_perms) }}}
+    {{{ ocil_file_permissions(file="/etc/at.deny", perms=target_perms) }}}
 
 template:
     name: file_permissions
     vars:
-        filepath: /etc/at.allow
+        filepath: /etc/at.deny
         missing_file_pass: 'true'
         filemode: '{{{ target_perms_octal }}}'
diff --git a/...on_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh b/...on_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh
@@ -1,4 +1,4 @@
 #!/bin/bash
 #
 
-rm -f /etc/at.allow
+rm -f /etc/at.deny