-
Notifications
You must be signed in to change notification settings - Fork 698
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add new rule file_cron_allow_exists #11441
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
documentation_complete: true | ||
|
||
prodtype: rhel7,rhel8,rhel9 | ||
|
||
title: Ensure that /etc/cron.allow exists | ||
|
||
description: |- | ||
The file <tt>/etc/cron.allow</tt> should exist and should be used instead | ||
of <tt>/etc/cron.deny</tt>. | ||
|
||
rationale: |- | ||
Access to <tt>crontab</tt> should be restricted. | ||
It is easier to manage an allow list than a deny list. | ||
Therefore, <tt>/etc/cron.allow</tt> needs to be created and used instead of <tt>/etc/cron.deny</tt>. | ||
Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab. | ||
|
||
severity: medium | ||
|
||
identifiers: | ||
cce@rhel7: CCE-86183-1 | ||
cce@rhel8: CCE-86184-9 | ||
cce@rhel9: CCE-86185-6 | ||
|
||
references: | ||
cis@rhel7: 5.1.8 | ||
cis@rhel8: 5.1.8 | ||
cis@rhel9: 5.1.8 | ||
|
||
ocil_clause: 'the file /etc/cron.allow does not exist' | ||
|
||
ocil: |- | ||
The file <tt>/etc/cron.allow</tt> should exist. | ||
This can be checked by running the following command: | ||
<pre> | ||
stat /etc/cron.allow | ||
</pre> | ||
and the output should list the file. | ||
|
||
template: | ||
name: file_existence | ||
vars: | ||
filepath: /etc/cron.allow | ||
exists: true | ||
fileuid: "0" | ||
filemode: "0600" |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
#!/bin/bash | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Is the name There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. dne is acronym for "does not exist" There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Ah ok. Thanks. It was not obvious to me. : ) So, all fine to keep this name if you prefer. |
||
rm -rf /etc/cron.allow |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
#!/bin/bash | ||
touch /etc/cron.allow |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,15 +1,19 @@ | ||
#!/bin/bash | ||
# platform = multi_platform_all | ||
# reboot = false | ||
# strategy = disable | ||
# complexity = low | ||
# disruption = low | ||
|
||
|
||
{{% if not EXISTS %}} | ||
if [[ -f {{{ FILEPATH }}} ]]; then | ||
rm {{{ FILEPATH }}} | ||
fi | ||
{{% else %}} | ||
touch {{{ FILEPATH }}} | ||
{{%- if FILEUID %}} | ||
chown {{{ FILEUID }}} {{{ FILEPATH }}} | ||
{{%- endif %}} | ||
{{%- if FILEMODE %}} | ||
chmod {{{ FILEMODE }}} {{{ FILEPATH }}} | ||
{{%- endif %}} | ||
{{% endif %}} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It would be great to extend this template to also accept
mode
andownership
properties as parameters for the remediation when creating the file. This would avoid the rulesfile_groupowner_cron_allow
,file_owner_cron_allow
andfile_permissions_cron_allow
to fail after creating the file.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, that'd be amazing!