From 3b16f59bc7b49c330bea93257408c8eef6d31d45 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Thu, 12 Dec 2024 11:51:58 -0800 Subject: [PATCH 1/5] Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users --- components/cronie.yml | 1 + controls/cis_ubuntu2404.yml | 10 +++--- .../file_at_allow_exists/rule.yml | 34 +++++++++++++++++++ .../file_at_allow_exists/tests/dne.fail.sh | 2 ++ .../file_at_allow_exists/tests/exists.pass.sh | 2 ++ 5 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh diff --git a/components/cronie.yml b/components/cronie.yml index 07e01029537..ff1456c50ce 100644 --- a/components/cronie.yml +++ b/components/cronie.yml @@ -6,6 +6,7 @@ packages: - cronie rules: - disable_anacron +- file_at_allow_exists - file_at_deny_not_exist - file_cron_allow_exists - file_cron_deny_not_exist diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index 8d9717f3fe2..ea10b41b169 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1090,14 +1090,14 @@ controls: levels: - l1_server - l1_workstation - related_rules: - - file_at_deny_not_exist + rules: + - file_at_allow_exists - file_groupowner_at_allow - file_owner_at_allow - file_permissions_at_allow - status: planned - notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.1.9. - + - file_at_deny_not_exist + status: automated + - id: 3.1.1 title: Ensure IPv6 status is identified (Manual) levels: diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml new file mode 100644 index 00000000000..c8130426c4a --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + + +title: Ensure that /etc/at.allow exists + +description: |- + The file /etc/at.allow should exist and should be used instead + of /etc/at.deny. + +rationale: |- + On many systems, only the system administrator is authorized to schedule at jobs. + Using the at.allow file to control who can run at jobs enforces this policy. It is easier + to manage an allow list than a deny list. In a deny list, you could potentially add a user + ID to the system and forget to add it to the deny files. + +severity: medium + +ocil_clause: 'the file /etc/at.allow does not exist' + +ocil: |- + The file /etc/at.allow should exist. + This can be checked by running the following command: + 
+    stat /etc/at.allow
+
+ and the output should list the file. + +template: + name: file_existence + vars: + filepath: /etc/at.allow + exists: true + fileuid: "0" + filemode: "0640" diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh new file mode 100644 index 00000000000..55587f045c4 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh @@ -0,0 +1,2 @@ +#!/bin/bash +rm -rf /etc/at.allow diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh new file mode 100644 index 00000000000..63703d86f55 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +touch /etc/at.allow From e7eb7341aa1e85f0eb123067c1e647ef1702f289 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Thu, 12 Dec 2024 15:01:51 -0800 Subject: [PATCH 2/5] Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users --- components/cronie.yml | 4 ++ controls/cis_ubuntu2404.yml | 4 ++ .../file_at_deny_exists/rule.yml | 34 +++++++++++++ .../file_at_deny_exists/tests/dne.fail.sh | 2 + .../file_at_deny_exists/tests/exists.pass.sh | 2 + .../file_groupowner_at_deny/rule.yml | 40 +++++++++++++++ .../file_owner_at_deny/rule.yml | 41 +++++++++++++++ .../file_permissions_at_deny/rule.yml | 50 +++++++++++++++++++ .../tests/missing_file_test.pass.sh | 4 ++ 9 files changed, 181 insertions(+) create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml create mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh diff --git a/components/cronie.yml b/components/cronie.yml index ff1456c50ce..d5e7993dbf0 100644 --- a/components/cronie.yml +++ b/components/cronie.yml @@ -7,12 +7,14 @@ packages: rules: - disable_anacron - file_at_allow_exists +- file_at_deny_exists - file_at_deny_not_exist - file_cron_allow_exists - file_cron_deny_not_exist - file_owner_cron_deny - file_groupowner_cron_deny - file_groupowner_at_allow +- file_groupowner_at_deny - file_groupowner_cron_allow - file_groupowner_cron_d - file_groupowner_cron_daily @@ -21,6 +23,7 @@ rules: - file_groupowner_cron_weekly - file_groupowner_crontab - file_owner_at_allow +- file_owner_at_deny - file_owner_cron_allow - file_owner_cron_d - file_owner_cron_daily @@ -29,6 +32,7 @@ rules: - file_owner_cron_weekly - file_owner_crontab - file_permissions_at_allow +- file_permissions_at_deny - file_permissions_cron_allow - file_permissions_cron_d - file_permissions_cron_daily diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index ea10b41b169..b74496ee6bd 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1096,6 +1096,10 @@ controls: - file_owner_at_allow - file_permissions_at_allow - file_at_deny_not_exist + - '!file_at_deny_exists' + - '!file_groupowner_at_deny' + - '!file_owner_at_deny' + - '!file_permissions_at_deny' status: automated - id: 3.1.1 diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml new file mode 100644 index 00000000000..ca75b40de45 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml @@ -0,0 +1,34 @@ +documentation_complete: true + + +title: Ensure that /etc/at.deny exists + +description: |- + The file /etc/at.deny should exist and should be used instead + of /etc/at.deny. + +rationale: |- + On many systems, only the system administrator is authorized to schedule at jobs. + Using the at.deny file to control who can run at jobs enforces this policy. It is easier + to manage an deny list than a deny list. In a deny list, you could potentially add a user + ID to the system and forget to add it to the deny files. + +severity: medium + +ocil_clause: 'the file /etc/at.deny does not exist' + +ocil: |- + The file /etc/at.deny should exist. + This can be checked by running the following command: + 
+    stat /etc/at.deny
+
+ and the output should list the file. + +template: + name: file_existence + vars: + filepath: /etc/at.deny + exists: true + fileuid: "0" + filemode: "0640" diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh new file mode 100644 index 00000000000..3047d1320b0 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh @@ -0,0 +1,2 @@ +#!/bin/bash +rm -rf /etc/at.deny diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh new file mode 100644 index 00000000000..e07c588e8ed --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh @@ -0,0 +1,2 @@ +#!/bin/bash +touch /etc/at.deny diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml new file mode 100644 index 00000000000..8f733aa019d --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml @@ -0,0 +1,40 @@ +documentation_complete: true + +title: 'Verify Group Who Owns /etc/at.allow file' + +description: |- + If /etc/at.allow exists, it must be group-owned by root. + {{{ describe_file_group_owner(file="/etc/at.allow", group="root") }}} + +rationale: |- + If the owner of the at.allow file is not set to root, the possibility exists for an + unauthorized user to view or edit sensitive information. + +severity: medium + +identifiers: + cce@rhel8: CCE-87102-0 + cce@rhel9: CCE-87103-8 + cce@rhel10: CCE-90598-4 + cce@sle12: CCE-91685-8 + cce@sle15: CCE-91315-2 + cce@slmicro5: CCE-93928-0 + +references: + cis@sle12: 5.1.9 + cis@sle15: 5.1.9 + cis@slmicro5: 5.1.9 + cis@ubuntu2004: 5.1.9 + cis@ubuntu2204: 5.1.9 + +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.allow", group="root") }}}' + +ocil: |- + {{{ ocil_file_group_owner(file="/etc/at.allow", group="root") }}} + +template: + name: file_groupowner + vars: + filepath: /etc/at.allow + missing_file_pass: 'true' + gid_or_name: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml new file mode 100644 index 00000000000..2cf0d40ad79 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml @@ -0,0 +1,41 @@ +documentation_complete: true + + +title: 'Verify User Who Owns /etc/at.allow file' + +description: |- + If /etc/at.allow exists, it must be owned by root. + {{{ describe_file_owner(file="/etc/at.allow", owner="root") }}} + +rationale: |- + If the owner of the at.allow file is not set to root, the possibility exists for an + unauthorized user to view or edit sensitive information. + +severity: medium + +identifiers: + cce@rhel8: CCE-86345-6 + cce@rhel9: CCE-86346-4 + cce@rhel10: CCE-88524-4 + cce@sle12: CCE-91687-4 + cce@sle15: CCE-91317-8 + cce@slmicro5: CCE-93927-2 + +references: + cis@sle12: 5.1.9 + cis@sle15: 5.1.9 + cis@slmicro5: 5.1.9 + cis@ubuntu2004: 5.1.9 + cis@ubuntu2204: 5.1.9 + +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.allow", owner="root") }}}' + +ocil: |- + {{{ ocil_file_owner(file="/etc/at.allow", owner="root") }}} + +template: + name: file_owner + vars: + filepath: /etc/at.allow + missing_file_pass: 'true' + fileuid: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml new file mode 100644 index 00000000000..be2309d6766 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml @@ -0,0 +1,50 @@ +documentation_complete: true + +title: 'Verify Permissions on /etc/at.allow file' + +{{% if 'rhel' not in product %}} + {{% set target_perms_octal="0640" %}} + {{% set target_perms="-rw-r-----" %}} +{{% else %}} + {{% set target_perms_octal="0600" %}} + {{% set target_perms="-rw-------" %}} +{{% endif %}} + +description: |- + If /etc/at.allow exists, it must have permissions {{{ target_perms_octal }}} + or more restrictive. + + {{{ describe_file_permissions(file="/etc/at.allow", perms=target_perms_octal) }}} + +rationale: |- + If the permissions of the at.allow file are not set to {{{ target_perms_octal }}} or more restrictive, + the possibility exists for an unauthorized user to view or edit sensitive information. + +severity: medium + +identifiers: + cce@rhel8: CCE-86903-2 + cce@rhel9: CCE-86904-0 + cce@rhel10: CCE-90283-3 + cce@sle12: CCE-91689-0 + cce@sle15: CCE-91319-4 + cce@slmicro5: CCE-93926-4 + +references: + cis@sle12: 5.1.9 + cis@sle15: 5.1.9 + cis@slmicro5: 5.1.9 + cis@ubuntu2004: 5.1.9 + cis@ubuntu2204: 5.1.9 + +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.allow", perms=target_perms) }}}' + +ocil: |- + {{{ ocil_file_permissions(file="/etc/at.allow", perms=target_perms) }}} + +template: + name: file_permissions + vars: + filepath: /etc/at.allow + missing_file_pass: 'true' + filemode: '{{{ target_perms_octal }}}' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh new file mode 100644 index 00000000000..1728fa0789c --- /dev/null +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh @@ -0,0 +1,4 @@ +#!/bin/bash +# + +rm -f /etc/at.allow From 62527eac377f0bc0b788175c5df2b091a3c7d006 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Thu, 12 Dec 2024 15:28:07 -0800 Subject: [PATCH 3/5] Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users --- .../file_at_deny_exists/rule.yml | 7 +++-- .../file_groupowner_at_deny/rule.yml | 29 +++++-------------- .../file_owner_at_deny/rule.yml | 28 +++++------------- .../file_permissions_at_deny/rule.yml | 29 +++++-------------- .../tests/missing_file_test.pass.sh | 2 +- 5 files changed, 26 insertions(+), 69 deletions(-) diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml index ca75b40de45..91f94578e48 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml @@ -4,8 +4,9 @@ documentation_complete: true title: Ensure that /etc/at.deny exists description: |- - The file /etc/at.deny should exist and should be used instead - of /etc/at.deny. + The file /etc/at.access should exist and should be used instead + of /etc/at.deny. But if at.deny is used, it should exist and have the correct + permisisons and owner. rationale: |- On many systems, only the system administrator is authorized to schedule at jobs. @@ -15,7 +16,7 @@ rationale: |- severity: medium -ocil_clause: 'the file /etc/at.deny does not exist' +ocil_clause: 'the file /etc/at.deny exists' ocil: |- The file /etc/at.deny should exist. diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml index 8f733aa019d..0e731d87237 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml @@ -1,40 +1,25 @@ documentation_complete: true -title: 'Verify Group Who Owns /etc/at.allow file' +title: 'Verify Group Who Owns /etc/at.deny file' description: |- - If /etc/at.allow exists, it must be group-owned by root. - {{{ describe_file_group_owner(file="/etc/at.allow", group="root") }}} + If /etc/at.deny exists, it must be group-owned by root. + {{{ describe_file_group_owner(file="/etc/at.deny", group="root") }}} rationale: |- - If the owner of the at.allow file is not set to root, the possibility exists for an + If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium -identifiers: - cce@rhel8: CCE-87102-0 - cce@rhel9: CCE-87103-8 - cce@rhel10: CCE-90598-4 - cce@sle12: CCE-91685-8 - cce@sle15: CCE-91315-2 - cce@slmicro5: CCE-93928-0 - -references: - cis@sle12: 5.1.9 - cis@sle15: 5.1.9 - cis@slmicro5: 5.1.9 - cis@ubuntu2004: 5.1.9 - cis@ubuntu2204: 5.1.9 - -ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.allow", group="root") }}}' +ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.deny", group="root") }}}' ocil: |- - {{{ ocil_file_group_owner(file="/etc/at.allow", group="root") }}} + {{{ ocil_file_group_owner(file="/etc/at.deny", group="root") }}} template: name: file_groupowner vars: - filepath: /etc/at.allow + filepath: /etc/at.deny missing_file_pass: 'true' gid_or_name: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml index 2cf0d40ad79..738f67c1f05 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml @@ -1,41 +1,27 @@ documentation_complete: true -title: 'Verify User Who Owns /etc/at.allow file' +title: 'Verify User Who Owns /etc/at.deny file' description: |- - If /etc/at.allow exists, it must be owned by root. - {{{ describe_file_owner(file="/etc/at.allow", owner="root") }}} + If /etc/at.deny exists, it must be owned by root. + {{{ describe_file_owner(file="/etc/at.deny", owner="root") }}} rationale: |- - If the owner of the at.allow file is not set to root, the possibility exists for an + If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium -identifiers: - cce@rhel8: CCE-86345-6 - cce@rhel9: CCE-86346-4 - cce@rhel10: CCE-88524-4 - cce@sle12: CCE-91687-4 - cce@sle15: CCE-91317-8 - cce@slmicro5: CCE-93927-2 -references: - cis@sle12: 5.1.9 - cis@sle15: 5.1.9 - cis@slmicro5: 5.1.9 - cis@ubuntu2004: 5.1.9 - cis@ubuntu2204: 5.1.9 - -ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.allow", owner="root") }}}' +ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.deny", owner="root") }}}' ocil: |- - {{{ ocil_file_owner(file="/etc/at.allow", owner="root") }}} + {{{ ocil_file_owner(file="/etc/at.deny", owner="root") }}} template: name: file_owner vars: - filepath: /etc/at.allow + filepath: /etc/at.deny missing_file_pass: 'true' fileuid: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml index be2309d6766..332cf43f736 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml @@ -1,6 +1,6 @@ documentation_complete: true -title: 'Verify Permissions on /etc/at.allow file' +title: 'Verify Permissions on /etc/at.deny file' {{% if 'rhel' not in product %}} {{% set target_perms_octal="0640" %}} @@ -11,40 +11,25 @@ title: 'Verify Permissions on /etc/at.allow file' {{% endif %}} description: |- - If /etc/at.allow exists, it must have permissions {{{ target_perms_octal }}} + If /etc/at.deny exists, it must have permissions {{{ target_perms_octal }}} or more restrictive. - {{{ describe_file_permissions(file="/etc/at.allow", perms=target_perms_octal) }}} + {{{ describe_file_permissions(file="/etc/at.deny", perms=target_perms_octal) }}} rationale: |- - If the permissions of the at.allow file are not set to {{{ target_perms_octal }}} or more restrictive, + If the permissions of the at.deny file are not set to {{{ target_perms_octal }}} or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information. severity: medium -identifiers: - cce@rhel8: CCE-86903-2 - cce@rhel9: CCE-86904-0 - cce@rhel10: CCE-90283-3 - cce@sle12: CCE-91689-0 - cce@sle15: CCE-91319-4 - cce@slmicro5: CCE-93926-4 - -references: - cis@sle12: 5.1.9 - cis@sle15: 5.1.9 - cis@slmicro5: 5.1.9 - cis@ubuntu2004: 5.1.9 - cis@ubuntu2204: 5.1.9 - -ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.allow", perms=target_perms) }}}' +ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.deny", perms=target_perms) }}}' ocil: |- - {{{ ocil_file_permissions(file="/etc/at.allow", perms=target_perms) }}} + {{{ ocil_file_permissions(file="/etc/at.deny", perms=target_perms) }}} template: name: file_permissions vars: - filepath: /etc/at.allow + filepath: /etc/at.deny missing_file_pass: 'true' filemode: '{{{ target_perms_octal }}}' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh index 1728fa0789c..80cb6e85925 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh @@ -1,4 +1,4 @@ #!/bin/bash # -rm -f /etc/at.allow +rm -f /etc/at.deny From e5144455ebb9b89fd29c5583bf9e85746ee206a1 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Fri, 13 Dec 2024 14:50:19 -0800 Subject: [PATCH 4/5] Ubuntu 24.04 2.4.2.1 Ensure at is retricted to authorized users --- controls/cis_ubuntu2404.yml | 9 ++--- .../file_at_allow_exists/rule.yml | 6 ++-- .../file_at_deny_exists/rule.yml | 35 ------------------- .../file_at_deny_exists/tests/dne.fail.sh | 2 -- .../file_at_deny_exists/tests/exists.pass.sh | 2 -- .../file_groupowner_at_allow/rule.yml | 1 - .../file_groupowner_at_deny/rule.yml | 1 - .../file_owner_at_allow/rule.yml | 1 - .../file_owner_at_deny/rule.yml | 1 - .../file_permissions_at_allow/rule.yml | 1 - .../file_permissions_at_deny/rule.yml | 1 - 11 files changed, 7 insertions(+), 53 deletions(-) delete mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml delete mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh delete mode 100644 linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index b74496ee6bd..c8e555d032e 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1096,11 +1096,12 @@ controls: - file_owner_at_allow - file_permissions_at_allow - file_at_deny_not_exist - - '!file_at_deny_exists' - - '!file_groupowner_at_deny' - - '!file_owner_at_deny' - - '!file_permissions_at_deny' + - file_groupowner_at_deny + - file_owner_at_deny + - file_permissions_at_deny status: automated + notes: file_owner_at_deny and file_owner_at_allow currently require root as owner + and don't accept daemon - id: 3.1.1 title: Ensure IPv6 status is identified (Manual) diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml index c8130426c4a..51e89f297c8 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml @@ -8,10 +8,8 @@ description: |- of /etc/at.deny. rationale: |- - On many systems, only the system administrator is authorized to schedule at jobs. - Using the at.allow file to control who can run at jobs enforces this policy. It is easier - to manage an allow list than a deny list. In a deny list, you could potentially add a user - ID to the system and forget to add it to the deny files. + Using the at.allow file to control who can run at jobs enforces this who can schedule jobs. + It is easier to manage an allow list than a deny list. severity: medium diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml deleted file mode 100644 index 91f94578e48..00000000000 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/rule.yml +++ /dev/null @@ -1,35 +0,0 @@ -documentation_complete: true - - -title: Ensure that /etc/at.deny exists - -description: |- - The file /etc/at.access should exist and should be used instead - of /etc/at.deny. But if at.deny is used, it should exist and have the correct - permisisons and owner. - -rationale: |- - On many systems, only the system administrator is authorized to schedule at jobs. - Using the at.deny file to control who can run at jobs enforces this policy. It is easier - to manage an deny list than a deny list. In a deny list, you could potentially add a user - ID to the system and forget to add it to the deny files. - -severity: medium - -ocil_clause: 'the file /etc/at.deny exists' - -ocil: |- - The file /etc/at.deny should exist. - This can be checked by running the following command: - 
-    stat /etc/at.deny
-
- and the output should list the file. - -template: - name: file_existence - vars: - filepath: /etc/at.deny - exists: true - fileuid: "0" - filemode: "0640" diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh deleted file mode 100644 index 3047d1320b0..00000000000 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/dne.fail.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -rm -rf /etc/at.deny diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh deleted file mode 100644 index e07c588e8ed..00000000000 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_deny_exists/tests/exists.pass.sh +++ /dev/null @@ -1,2 +0,0 @@ -#!/bin/bash -touch /etc/at.deny diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml index 8f733aa019d..07db06b33ca 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_allow/rule.yml @@ -36,5 +36,4 @@ template: name: file_groupowner vars: filepath: /etc/at.allow - missing_file_pass: 'true' gid_or_name: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml index 0e731d87237..9a90e94c39e 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml @@ -21,5 +21,4 @@ template: name: file_groupowner vars: filepath: /etc/at.deny - missing_file_pass: 'true' gid_or_name: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml index 2cf0d40ad79..a36b945c3fb 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_allow/rule.yml @@ -37,5 +37,4 @@ template: name: file_owner vars: filepath: /etc/at.allow - missing_file_pass: 'true' fileuid: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml index 738f67c1f05..46ea7880ffb 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml @@ -23,5 +23,4 @@ template: name: file_owner vars: filepath: /etc/at.deny - missing_file_pass: 'true' fileuid: '0' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml index be2309d6766..8cb4b701059 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_allow/rule.yml @@ -46,5 +46,4 @@ template: name: file_permissions vars: filepath: /etc/at.allow - missing_file_pass: 'true' filemode: '{{{ target_perms_octal }}}' diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml index 332cf43f736..553b342b240 100644 --- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml +++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml @@ -31,5 +31,4 @@ template: name: file_permissions vars: filepath: /etc/at.deny - missing_file_pass: 'true' filemode: '{{{ target_perms_octal }}}' From 7122ad9f00e7690c6e855049e311cb01d1359be0 Mon Sep 17 00:00:00 2001 From: Eric Berry Date: Tue, 17 Dec 2024 10:35:07 -0800 Subject: [PATCH 5/5] Ubuntu 24.04 2.4.2.1 Ensure at is retricted to authorized users --- components/cronie.yml | 1 - controls/cis_ubuntu2404.yml | 1 - 2 files changed, 2 deletions(-) diff --git a/components/cronie.yml b/components/cronie.yml index d5e7993dbf0..37264a89ac1 100644 --- a/components/cronie.yml +++ b/components/cronie.yml @@ -7,7 +7,6 @@ packages: rules: - disable_anacron - file_at_allow_exists -- file_at_deny_exists - file_at_deny_not_exist - file_cron_allow_exists - file_cron_deny_not_exist diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml index c8e555d032e..5f43fda9f10 100644 --- a/controls/cis_ubuntu2404.yml +++ b/controls/cis_ubuntu2404.yml @@ -1095,7 +1095,6 @@ controls: - file_groupowner_at_allow - file_owner_at_allow - file_permissions_at_allow - - file_at_deny_not_exist - file_groupowner_at_deny - file_owner_at_deny - file_permissions_at_deny