Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users

ComplianceAsCode · Dec 12, 2024 · e7eb734 · e7eb734
1 parent 3b16f59
commit e7eb734
Show file tree

Hide file tree

Showing 9 changed files with 181 additions and 0 deletions.
diff --git a/components/cronie.yml b/components/cronie.yml
@@ -7,12 +7,14 @@ packages:
 rules:
 - disable_anacron
 - file_at_allow_exists
+- file_at_deny_exists
 - file_at_deny_not_exist
 - file_cron_allow_exists
 - file_cron_deny_not_exist
 - file_owner_cron_deny
 - file_groupowner_cron_deny
 - file_groupowner_at_allow
+- file_groupowner_at_deny
 - file_groupowner_cron_allow
 - file_groupowner_cron_d
 - file_groupowner_cron_daily
@@ -21,6 +23,7 @@ rules:
 - file_groupowner_cron_weekly
 - file_groupowner_crontab
 - file_owner_at_allow
+- file_owner_at_deny
 - file_owner_cron_allow
 - file_owner_cron_d
 - file_owner_cron_daily
@@ -29,6 +32,7 @@ rules:
 - file_owner_cron_weekly
 - file_owner_crontab
 - file_permissions_at_allow
+- file_permissions_at_deny
 - file_permissions_cron_allow
 - file_permissions_cron_d
 - file_permissions_cron_daily

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
@@ -1096,6 +1096,10 @@ controls:
       - file_owner_at_allow
       - file_permissions_at_allow
       - file_at_deny_not_exist
+      - '!file_at_deny_exists'
+      - '!file_groupowner_at_deny'
+      - '!file_owner_at_deny'
+      - '!file_permissions_at_deny'
     status: automated
 
   - id: 3.1.1

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml
@@ -0,0 +1,34 @@
+documentation_complete: true
+
+
+title: Ensure that /etc/at.deny exists
+
+description: |-
+    The file <tt>/etc/at.deny</tt> should exist and should be used instead
+    of <tt>/etc/at.deny</tt>.
+
+rationale: |-
+    On many systems, only the system administrator is authorized to schedule at jobs.
+    Using the at.deny file to control who can run at jobs enforces this policy. It is easier
+    to manage an deny list than a deny list. In a deny list, you could potentially add a user
+    ID to the system and forget to add it to the deny files.
+
+severity: medium
+
+ocil_clause: 'the file /etc/at.deny does not exist'
+
+ocil: |-
+    The file <tt>/etc/at.deny</tt> should exist.
+    This can be checked by running the following command:
+    <pre>
+    stat /etc/at.deny
+    </pre>
+    and the output should list the file.
+
+template:
+    name: file_existence
+    vars:
+        filepath: /etc/at.deny
+        exists: true
+        fileuid: "0"
+        filemode: "0640"
diff --git a/...s/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh b/...s/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+rm -rf /etc/at.deny
diff --git a/...uide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh b/...uide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+touch /etc/at.deny
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml
@@ -0,0 +1,40 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /etc/at.allow file'
+
+description: |-
+    If <tt>/etc/at.allow</tt> exists, it must be group-owned by <tt>root</tt>.
+    {{{ describe_file_group_owner(file="/etc/at.allow", group="root") }}}
+
+rationale: |-
+    If the owner of the at.allow file is not set to root, the possibility exists for an
+    unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-87102-0
+    cce@rhel9: CCE-87103-8
+    cce@rhel10: CCE-90598-4
+    cce@sle12: CCE-91685-8
+    cce@sle15: CCE-91315-2
+    cce@slmicro5: CCE-93928-0
+
+references:
+    cis@sle12: 5.1.9
+    cis@sle15: 5.1.9
+    cis@slmicro5: 5.1.9
+    cis@ubuntu2004: 5.1.9
+    cis@ubuntu2204: 5.1.9
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.allow", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/at.allow", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/at.allow
+        missing_file_pass: 'true'
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+
+title: 'Verify User Who Owns /etc/at.allow file'
+
+description: |-
+    If <tt>/etc/at.allow</tt> exists, it must be owned by <tt>root</tt>.
+    {{{ describe_file_owner(file="/etc/at.allow", owner="root") }}}
+
+rationale: |-
+    If the owner of the at.allow file is not set to root, the possibility exists for an
+    unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86345-6
+    cce@rhel9: CCE-86346-4
+    cce@rhel10: CCE-88524-4
+    cce@sle12: CCE-91687-4
+    cce@sle15: CCE-91317-8
+    cce@slmicro5: CCE-93927-2
+
+references:
+    cis@sle12: 5.1.9
+    cis@sle15: 5.1.9
+    cis@slmicro5: 5.1.9
+    cis@ubuntu2004: 5.1.9
+    cis@ubuntu2204: 5.1.9
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.allow", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/at.allow", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/at.allow
+        missing_file_pass: 'true'
+        fileuid: '0'
diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml
@@ -0,0 +1,50 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /etc/at.allow file'
+
+{{%  if 'rhel' not in product %}}
+    {{% set target_perms_octal="0640" %}}
+    {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+    {{% set target_perms_octal="0600" %}}
+    {{% set target_perms="-rw-------" %}}
+{{% endif %}}
+
+description: |-
+    If <tt>/etc/at.allow</tt> exists, it must have permissions <tt>{{{ target_perms_octal }}}</tt>
+    or more restrictive.
+
+    {{{ describe_file_permissions(file="/etc/at.allow", perms=target_perms_octal) }}}
+
+rationale: |-
+    If the permissions of the at.allow file are not set to {{{ target_perms_octal }}} or more restrictive,
+    the possibility exists for an unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+identifiers:
+    cce@rhel8: CCE-86903-2
+    cce@rhel9: CCE-86904-0
+    cce@rhel10: CCE-90283-3
+    cce@sle12: CCE-91689-0
+    cce@sle15: CCE-91319-4
+    cce@slmicro5: CCE-93926-4
+
+references:
+    cis@sle12: 5.1.9
+    cis@sle15: 5.1.9
+    cis@slmicro5: 5.1.9
+    cis@ubuntu2004: 5.1.9
+    cis@ubuntu2204: 5.1.9
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.allow", perms=target_perms) }}}'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/etc/at.allow", perms=target_perms) }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/at.allow
+        missing_file_pass: 'true'
+        filemode: '{{{ target_perms_octal }}}'
diff --git a/...on_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh b/...on_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+#
+
+rm -f /etc/at.allow