ComplianceAsCode · ericeberry · Dec 12, 2024 · Dec 12, 2024 · Dec 12, 2024 · Dec 13, 2024
diff --git a/components/cronie.yml b/components/cronie.yml
@@ -6,12 +6,15 @@ packages:
 - cronie
 rules:
 - disable_anacron
+- file_at_allow_exists
+- file_at_deny_exists
 - file_at_deny_not_exist
 - file_cron_allow_exists
 - file_cron_deny_not_exist
 - file_owner_cron_deny
 - file_groupowner_cron_deny
 - file_groupowner_at_allow
+- file_groupowner_at_deny
 - file_groupowner_cron_allow
 - file_groupowner_cron_d
 - file_groupowner_cron_daily
@@ -20,6 +23,7 @@ rules:
 - file_groupowner_cron_weekly
 - file_groupowner_crontab
 - file_owner_at_allow
+- file_owner_at_deny
 - file_owner_cron_allow
 - file_owner_cron_d
 - file_owner_cron_daily
@@ -28,6 +32,7 @@ rules:
 - file_owner_cron_weekly
 - file_owner_crontab
 - file_permissions_at_allow
+- file_permissions_at_deny
 - file_permissions_cron_allow
 - file_permissions_cron_d
 - file_permissions_cron_daily

@@ -1090,14 +1090,19 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - file_at_deny_not_exist
+    rules:
+      - file_at_allow_exists
       - file_groupowner_at_allow
       - file_owner_at_allow
       - file_permissions_at_allow
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.1.9.
-
+      - file_at_deny_not_exist
+      - file_groupowner_at_deny
+      - file_owner_at_deny
+      - file_permissions_at_deny
+    status: automated
+    notes: file_owner_at_deny and file_owner_at_allow currently require root as owner
+           and don't accept daemon
+
   - id: 3.1.1
     title: Ensure IPv6 status is identified (Manual)
     levels:

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml
@@ -0,0 +1,32 @@
+documentation_complete: true
+
+
+title: Ensure that /etc/at.allow exists
+
+description: |-
+    The file <tt>/etc/at.allow</tt> should exist and should be used instead
+    of <tt>/etc/at.deny</tt>.
+
+rationale: |-
+    Using the at.allow file to control who can run at jobs enforces this who can schedule jobs.
+    It is easier to manage an allow list than a deny list. 
+
+severity: medium
+
+ocil_clause: 'the file /etc/at.allow does not exist'
+
+ocil: |-
+    The file <tt>/etc/at.allow</tt> should exist.
+    This can be checked by running the following command:
+    <pre>
+    stat /etc/at.allow
+    </pre>
+    and the output should list the file.
+
+template:
+    name: file_existence
+    vars:
+        filepath: /etc/at.allow
+        exists: true
+        fileuid: "0"
+        filemode: "0640"
diff --git a/.../guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh b/.../guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+rm -rf /etc/at.allow
diff --git a/...ide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh b/...ide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+touch /etc/at.allow
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml
@@ -36,5 +36,4 @@ template:
     name: file_groupowner
     vars:
         filepath: /etc/at.allow
-        missing_file_pass: 'true'
         gid_or_name: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml
@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /etc/at.deny file'
+
+description: |-
+    If <tt>/etc/at.deny</tt> exists, it must be group-owned by <tt>root</tt>.
+    {{{ describe_file_group_owner(file="/etc/at.deny", group="root") }}}
+
+rationale: |-
+    If the owner of the at.deny file is not set to root, the possibility exists for an
+    unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.deny", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/at.deny", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/at.deny
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml
@@ -37,5 +37,4 @@ template:
     name: file_owner
     vars:
         filepath: /etc/at.allow
-        missing_file_pass: 'true'
         fileuid: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+
+title: 'Verify User Who Owns /etc/at.deny file'
+
+description: |-
+    If <tt>/etc/at.deny</tt> exists, it must be owned by <tt>root</tt>.
+    {{{ describe_file_owner(file="/etc/at.deny", owner="root") }}}
+
+rationale: |-
+    If the owner of the at.deny file is not set to root, the possibility exists for an
+    unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.deny", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/at.deny", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/at.deny
+        fileuid: '0'
diff --git a/...x_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/...x_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml
@@ -46,5 +46,4 @@ template:
     name: file_permissions
     vars:
         filepath: /etc/at.allow
-        missing_file_pass: 'true'
         filemode: '{{{ target_perms_octal }}}'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /etc/at.deny file'
+
+{{%  if 'rhel' not in product %}}
+    {{% set target_perms_octal="0640" %}}
+    {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+    {{% set target_perms_octal="0600" %}}
+    {{% set target_perms="-rw-------" %}}
+{{% endif %}}
+
+description: |-
+    If <tt>/etc/at.deny</tt> exists, it must have permissions <tt>{{{ target_perms_octal }}}</tt>
+    or more restrictive.
+
+    {{{ describe_file_permissions(file="/etc/at.deny", perms=target_perms_octal) }}}
+
+rationale: |-
+    If the permissions of the at.deny file are not set to {{{ target_perms_octal }}} or more restrictive,
+    the possibility exists for an unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.deny", perms=target_perms) }}}'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/etc/at.deny", perms=target_perms) }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/at.deny
+        filemode: '{{{ target_perms_octal }}}'
diff --git a/...on_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh b/...on_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+#
+
+rm -f /etc/at.deny