From 62527eac377f0bc0b788175c5df2b091a3c7d006 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Thu, 12 Dec 2024 15:28:07 -0800 Subject: [PATCH] Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users --- .../file_at_deny_exists/rule.yml | 7 +++-- .../file_groupowner_at_deny/rule.yml | 29 +++++-------------- .../file_owner_at_deny/rule.yml | 28 +++++------------- .../file_permissions_at_deny/rule.yml | 29 +++++-------------- .../tests/missing_file_test.pass.sh | 2 +- 5 files changed, 26 insertions(+), 69 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml index ca75b40de45..91f94578e48 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml @@ -4,8 +4,9 @@ documentation_complete: true title: Ensure that /etc/at.deny exists description: |- - The file /etc/at.deny should exist and should be used instead - of /etc/at.deny. + The file /etc/at.access should exist and should be used instead + of /etc/at.deny. But if at.deny is used, it should exist and have the correct + permisisons and owner. rationale: |- On many systems, only the system administrator is authorized to schedule at jobs. @@ -15,7 +16,7 @@ rationale: |- severity: medium -ocil_clause: 'the file /etc/at.deny does not exist' +ocil_clause: 'the file /etc/at.deny exists' ocil: |- The file /etc/at.deny should exist. diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml index 8f733aa019d..0e731d87237 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml @@ -1,40 +1,25 @@ documentation_complete: true -title: 'Verify Group Who Owns /etc/at.allow file' +title: 'Verify Group Who Owns /etc/at.deny file' description: |- - If /etc/at.allow exists, it must be group-owned by root. - {{{ describe_file_group_owner(file="/etc/at.allow", group="root") }}} + If /etc/at.deny exists, it must be group-owned by root. + {{{ describe_file_group_owner(file="/etc/at.deny", group="root") }}} rationale: |- - If the owner of the at.allow file is not set to root, the possibility exists for an + If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium -identifiers: - cce@rhel8: CCE-87102-0 - cce@rhel9: CCE-87103-8 - cce@rhel10: CCE-90598-4 - cce@sle12: CCE-91685-8 - cce@sle15: CCE-91315-2 - cce@slmicro5: CCE-93928-0 - -references: - cis@sle12: 5.1.9 - cis@sle15: 5.1.9 - cis@slmicro5: 5.1.9 - cis@ubuntu2004: 5.1.9 - cis@ubuntu2204: 5.1.9 - -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.allow", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.deny", group="root") }}}' ocil: |- - {{{ ocil_file_group_owner(file="/etc/at.allow", group="root") }}} + {{{ ocil_file_group_owner(file="/etc/at.deny", group="root") }}} template: name: file_groupowner vars: - filepath: /etc/at.allow + filepath: /etc/at.deny missing_file_pass: 'true' gid_or_name: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml index 2cf0d40ad79..738f67c1f05 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml @@ -1,41 +1,27 @@ documentation_complete: true -title: 'Verify User Who Owns /etc/at.allow file' +title: 'Verify User Who Owns /etc/at.deny file' description: |- - If /etc/at.allow exists, it must be owned by root. - {{{ describe_file_owner(file="/etc/at.allow", owner="root") }}} + If /etc/at.deny exists, it must be owned by root. + {{{ describe_file_owner(file="/etc/at.deny", owner="root") }}} rationale: |- - If the owner of the at.allow file is not set to root, the possibility exists for an + If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium -identifiers: - cce@rhel8: CCE-86345-6 - cce@rhel9: CCE-86346-4 - cce@rhel10: CCE-88524-4 - cce@sle12: CCE-91687-4 - cce@sle15: CCE-91317-8 - cce@slmicro5: CCE-93927-2 -references: - cis@sle12: 5.1.9 - cis@sle15: 5.1.9 - cis@slmicro5: 5.1.9 - cis@ubuntu2004: 5.1.9 - cis@ubuntu2204: 5.1.9 - -ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.allow", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.deny", owner="root") }}}' ocil: |- - {{{ ocil_file_owner(file="/etc/at.allow", owner="root") }}} + {{{ ocil_file_owner(file="/etc/at.deny", owner="root") }}} template: name: file_owner vars: - filepath: /etc/at.allow + filepath: /etc/at.deny missing_file_pass: 'true' fileuid: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml index be2309d6766..332cf43f736 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -title: 'Verify Permissions on /etc/at.allow file' +title: 'Verify Permissions on /etc/at.deny file' {{% if 'rhel' not in product %}} {{% set target_perms_octal="0640" %}} @@ -11,40 +11,25 @@ title: 'Verify Permissions on /etc/at.allow file' {{% endif %}} description: |- - If /etc/at.allow exists, it must have permissions {{{ target_perms_octal }}} + If /etc/at.deny exists, it must have permissions {{{ target_perms_octal }}} or more restrictive. - {{{ describe_file_permissions(file="/etc/at.allow", perms=target_perms_octal) }}} + {{{ describe_file_permissions(file="/etc/at.deny", perms=target_perms_octal) }}} rationale: |- - If the permissions of the at.allow file are not set to {{{ target_perms_octal }}} or more restrictive, + If the permissions of the at.deny file are not set to {{{ target_perms_octal }}} or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium -identifiers: - cce@rhel8: CCE-86903-2 - cce@rhel9: CCE-86904-0 - cce@rhel10: CCE-90283-3 - cce@sle12: CCE-91689-0 - cce@sle15: CCE-91319-4 - cce@slmicro5: CCE-93926-4 - -references: - cis@sle12: 5.1.9 - cis@sle15: 5.1.9 - cis@slmicro5: 5.1.9 - cis@ubuntu2004: 5.1.9 - cis@ubuntu2204: 5.1.9 - -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.allow", perms=target_perms) }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.deny", perms=target_perms) }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/at.allow", perms=target_perms) }}} + {{{ ocil_file_permissions(file="/etc/at.deny", perms=target_perms) }}} template: name: file_permissions vars: - filepath: /etc/at.allow + filepath: /etc/at.deny missing_file_pass: 'true' filemode: '{{{ target_perms_octal }}}' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh index 1728fa0789c..80cb6e85925 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash # -rm -f /etc/at.allow +rm -f /etc/at.deny