Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new rule file_cron_allow_exists #11441

Merged
merged 3 commits into from
Jan 11, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions components/cronie.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ packages:
rules:
- disable_anacron
- file_at_deny_not_exist
- file_cron_allow_exists
- file_cron_deny_not_exist
- file_owner_cron_deny
- file_groupowner_cron_deny
Expand Down
1 change: 1 addition & 0 deletions controls/cis_rhel7.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1749,6 +1749,7 @@ controls:
status: automated
rules:
- file_groupowner_cron_allow
- file_cron_allow_exists
- file_owner_cron_allow
- file_cron_deny_not_exist
- file_permissions_cron_allow
Expand Down
1 change: 1 addition & 0 deletions controls/cis_rhel8.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1954,6 +1954,7 @@ controls:
status: automated
rules:
- file_cron_deny_not_exist
- file_cron_allow_exists
- file_groupowner_cron_allow
- file_owner_cron_allow
- file_permissions_cron_allow
Expand Down
1 change: 1 addition & 0 deletions controls/cis_rhel9.yml
Original file line number Diff line number Diff line change
Expand Up @@ -1800,6 +1800,7 @@ controls:
status: automated
rules:
- file_cron_deny_not_exist
- file_cron_allow_exists
- file_groupowner_cron_allow
- file_owner_cron_allow
- file_permissions_cron_allow
Expand Down
2 changes: 2 additions & 0 deletions docs/templates/template_reference.md
Original file line number Diff line number Diff line change
Expand Up @@ -249,6 +249,8 @@
- Parameters:
- **filepath** - File path to be checked.
- **exists** - If set to `true` the check will fail if the file doesn't exist and vice versa for `false`.
- **fileuid** - (optional) user ID (UID) of the file created by remediations
- **filemode** - (optional) file permissions of the file created by remediations, use in a hexadecimal format, eg. =`'0640'`

- Languages: Ansible, Bash, OVAL

Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
documentation_complete: true

prodtype: rhel7,rhel8,rhel9

title: Ensure that /etc/cron.allow exists

description: |-
The file <tt>/etc/cron.allow</tt> should exist and should be used instead
of <tt>/etc/cron.deny</tt>.

rationale: |-
Access to <tt>crontab</tt> should be restricted.
It is easier to manage an allow list than a deny list.
Therefore, <tt>/etc/cron.allow</tt> needs to be created and used instead of <tt>/etc/cron.deny</tt>.
Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.

severity: medium

identifiers:
cce@rhel7: CCE-86183-1
cce@rhel8: CCE-86184-9
cce@rhel9: CCE-86185-6

references:
cis@rhel7: 5.1.8
cis@rhel8: 5.1.8
cis@rhel9: 5.1.8

ocil_clause: 'the file /etc/cron.allow does not exist'

ocil: |-
The file <tt>/etc/cron.allow</tt> should exist.
This can be checked by running the following command:
<pre>
stat /etc/cron.allow
</pre>
and the output should list the file.

template:
name: file_existence
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be great to extend this template to also accept mode and ownership properties as parameters for the remediation when creating the file. This would avoid the rules file_groupowner_cron_allow, file_owner_cron_allow and file_permissions_cron_allow to fail after creating the file.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, that'd be amazing!

vars:
filepath: /etc/cron.allow
exists: true
fileuid: "0"
filemode: "0600"
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/bash
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the name dne.fail.sh intentional? Maybe we can rename the file to more easily reflect the test?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dne is acronym for "does not exist"

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah ok. Thanks. It was not obvious to me. : ) So, all fine to keep this name if you prefer.

rm -rf /etc/cron.allow
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
#!/bin/bash
touch /etc/cron.allow
3 changes: 0 additions & 3 deletions shared/references/cce-redhat-avail.txt
Original file line number Diff line number Diff line change
Expand Up @@ -33,9 +33,6 @@ CCE-86178-1
CCE-86179-9
CCE-86180-7
CCE-86181-5
CCE-86183-1
CCE-86184-9
CCE-86185-6
CCE-86186-4
CCE-86187-2
CCE-86188-0
Expand Down
6 changes: 6 additions & 0 deletions shared/templates/file_existence/ansible.template
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,10 @@
file:
path: {{{ FILEPATH }}}
state: touch
{{%- if FILEUID %}}
owner: "{{{ FILEUID }}}"
{{%- endif %}}
{{%- if FILEMODE %}}
mode: "{{{ FILEMODE }}}"
{{%- endif %}}
{{% endif %}}
8 changes: 6 additions & 2 deletions shared/templates/file_existence/bash.template
Original file line number Diff line number Diff line change
@@ -1,15 +1,19 @@
#!/bin/bash
# platform = multi_platform_all
# reboot = false
# strategy = disable
# complexity = low
# disruption = low


{{% if not EXISTS %}}
if [[ -f {{{ FILEPATH }}} ]]; then
rm {{{ FILEPATH }}}
fi
{{% else %}}
touch {{{ FILEPATH }}}
{{%- if FILEUID %}}
chown {{{ FILEUID }}} {{{ FILEPATH }}}
{{%- endif %}}
{{%- if FILEMODE %}}
chmod {{{ FILEMODE }}} {{{ FILEPATH }}}
{{%- endif %}}
{{% endif %}}
Loading