Merge pull request ComplianceAsCode#11441 from jan-cerny/RHEL-1314

Add new rule file_cron_allow_exists
vojtapolasek · Jan 11, 2024 · 69fcc7d · 69fcc7d
2 parents 9c97ffb + ed654d2
commit 69fcc7d
Show file tree

Hide file tree

Showing 11 changed files with 67 additions and 5 deletions.
diff --git a/components/cronie.yml b/components/cronie.yml
@@ -7,6 +7,7 @@ packages:
 rules:
 - disable_anacron
 - file_at_deny_not_exist
+- file_cron_allow_exists
 - file_cron_deny_not_exist
 - file_owner_cron_deny
 - file_groupowner_cron_deny

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -1749,6 +1749,7 @@ controls:
     status: automated
     rules:
     - file_groupowner_cron_allow
+    - file_cron_allow_exists
     - file_owner_cron_allow
     - file_cron_deny_not_exist
     - file_permissions_cron_allow

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -1954,6 +1954,7 @@ controls:
     status: automated
     rules:
       - file_cron_deny_not_exist
+      - file_cron_allow_exists
       - file_groupowner_cron_allow
       - file_owner_cron_allow
       - file_permissions_cron_allow

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1800,6 +1800,7 @@ controls:
     status: automated
     rules:
       - file_cron_deny_not_exist
+      - file_cron_allow_exists
       - file_groupowner_cron_allow
       - file_owner_cron_allow
       - file_permissions_cron_allow

diff --git a/docs/templates/template_reference.md b/docs/templates/template_reference.md
@@ -249,6 +249,8 @@
 - Parameters:
     - **filepath** - File path to be checked.
     - **exists** - If set to `true` the check will fail if the file doesn't exist and vice versa for `false`.
+    - **fileuid** - (optional) user ID (UID) of the file created by remediations
+    - **filemode** - (optional) file permissions of the file created by remediations, use in a hexadecimal format, eg. =`'0640'`
 
 - Languages: Ansible, Bash, OVAL
 

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml
@@ -0,0 +1,45 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,rhel9
+
+title: Ensure that /etc/cron.allow exists
+
+description: |-
+    The file <tt>/etc/cron.allow</tt> should exist and should be used instead
+    of <tt>/etc/cron.deny</tt>.
+
+rationale: |-
+    Access to <tt>crontab</tt> should be restricted.
+    It is easier to manage an allow list than a deny list.
+    Therefore, <tt>/etc/cron.allow</tt> needs to be created and used instead of <tt>/etc/cron.deny</tt>.
+    Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86183-1
+    cce@rhel8: CCE-86184-9
+    cce@rhel9: CCE-86185-6
+
+references:
+    cis@rhel7: 5.1.8
+    cis@rhel8: 5.1.8
+    cis@rhel9: 5.1.8
+
+ocil_clause: 'the file /etc/cron.allow does not exist'
+
+ocil: |-
+    The file <tt>/etc/cron.allow</tt> should exist.
+    This can be checked by running the following command:
+    <pre>
+    stat /etc/cron.allow
+    </pre>
+    and the output should list the file.
+
+template:
+    name: file_existence
+    vars:
+        filepath: /etc/cron.allow
+        exists: true
+        fileuid: "0"
+        filemode: "0600"
diff --git a/...uide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/dne.fail.sh b/...uide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/dne.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+rm -rf /etc/cron.allow
diff --git a/...e/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/exists.pass.sh b/...e/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/exists.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+touch /etc/cron.allow
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -33,9 +33,6 @@ CCE-86178-1
 CCE-86179-9
 CCE-86180-7
 CCE-86181-5
-CCE-86183-1
-CCE-86184-9
-CCE-86185-6
 CCE-86186-4
 CCE-86187-2
 CCE-86188-0

diff --git a/shared/templates/file_existence/ansible.template b/shared/templates/file_existence/ansible.template
@@ -15,4 +15,10 @@
   file:
       path: {{{ FILEPATH }}}
       state: touch
+    {{%- if FILEUID %}}
+      owner: "{{{ FILEUID }}}"
+    {{%- endif %}}
+    {{%- if FILEMODE %}}
+      mode: "{{{ FILEMODE }}}"
+    {{%- endif %}}
 {{% endif %}}
diff --git a/shared/templates/file_existence/bash.template b/shared/templates/file_existence/bash.template
@@ -1,15 +1,19 @@
-#!/bin/bash
 # platform = multi_platform_all
 # reboot = false
 # strategy = disable
 # complexity = low
 # disruption = low
 
-
 {{% if not EXISTS %}}
     if [[ -f  {{{ FILEPATH }}} ]]; then
         rm {{{ FILEPATH }}}
     fi
 {{% else %}}
     touch {{{ FILEPATH }}}
+    {{%- if FILEUID %}}
+    chown {{{ FILEUID }}} {{{ FILEPATH }}}
+    {{%- endif %}}
+    {{%- if FILEMODE %}}
+    chmod {{{ FILEMODE }}} {{{ FILEPATH }}}
+    {{%- endif %}}
 {{% endif %}}