search

ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.2k stars 696 forks source link

Problem with rule "Verify Group Who Owns /etc/cron.allow file" #11898

Closed marcofortina closed 6 months ago

marcofortina commented 6 months ago

Description of problem:

Following remediation script for this rule, will produce an error on user allowed to run cron.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

  1. Set permissions on /etc/cron.allow:
root@ubuntu:~# chown root:root /etc/cron.allow 
root@ubuntu:~# chmod u-x,g-wx,o-rwx /etc/cron.allow

root@ubuntu:~# stat /etc/cron.allow
  File: /etc/cron.allow
  Size: 0           Blocks: 0          IO Block: 4096   regular empty file
Device: fd00h/64768d    Inode: 132969      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-04-25 23:39:20.627379836 +0000
Modify: 2024-04-25 23:39:20.627379836 +0000
Change: 2024-04-26 10:55:41.546259651 +0000
 Birth: 2024-04-25 23:39:20.627379836 +0000
  1. Execute the oscap check for this rule:
root@ubuntu:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow ssg-ubuntu2204-ds.xml

Title   Verify Group Who Owns /etc/cron.allow file
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
Result  pass
  1. Allow ubuntu user to run cron:
root@ubuntu:~# cat /etc/cron.allow
ubuntu
  1. As user ubuntu try to edit its own crontab:
root@ubuntu:~# su - ubuntu
ubuntu@ubuntu:~$ crontab -l
/etc/cron.allow: Permission denied
You (ubuntu) are not allowed to use this program (crontab)
See crontab(1) for more information

Additional Information/Debugging Steps:

File /etc/cron.allow should be owned by the group crontab:

root@ubuntu:~# chgrp crontab /etc/cron.allow
root@ubuntu:~# stat /etc/cron.allow
  File: /etc/cron.allow
  Size: 7           Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d    Inode: 133448      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  112/ crontab)
Access: 2024-04-26 10:59:03.022526578 +0000
Modify: 2024-04-26 10:58:58.678522461 +0000
Change: 2024-04-26 11:03:44.074679809 +0000
 Birth: 2024-04-26 10:58:58.678522461 +0000
root@ubuntu:~# su - ubuntu
ubuntu@ubuntu:~$ crontab -l
no crontab for ubuntu

Ticket 21619 was also opened to CIS WorkBench community.

marcofortina commented 6 months ago

I did some tests and it seams this should fix this issue:

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
index d7ba7b7b18..031c7bfbd3 100644
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
@@ -3,12 +3,18 @@ documentation_complete: true

 title: 'Verify Group Who Owns /etc/cron.allow file'

+{{% if "ubuntu" in product %}}
+    {{% set target_group="crontab" %}}
+{{% else %}}
+    {{% set target_group="root" %}}
+{{% endif %}}
+
 description: |-
-    If <tt>/etc/cron.allow</tt> exists, it must be group-owned by <tt>root</tt>.
-    {{{ describe_file_group_owner(file="/etc/cron.allow", group="root") }}}
+    If <tt>/etc/cron.allow</tt> exists, it must be group-owned by <tt>target_group</tt>.
+    {{{ describe_file_group_owner(file="/etc/cron.allow", group=target_group) }}}

 rationale: |-
-    If the owner of the cron.allow file is not set to root, the possibility exists for an
+    If the owner of the cron.allow file is not set to target_group, the possibility exists for an
     unauthorized user to view or edit sensitive information.

 severity: medium
@@ -37,14 +43,18 @@ references:
     stigid@ol7: OL07-00-021120
     stigid@rhel7: RHEL-07-021120

-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.allow", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.allow", group=target_group) }}}'

 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/cron.allow", group="root") }}}
+    {{{ ocil_file_group_owner(file="/etc/cron.allow", group=target_group) }}}

 template:
     name: file_groupowner
     vars:
         filepath: /etc/cron.allow
         missing_file_pass: 'true'
+{{% if "ubuntu" in product %}}
+        gid_or_name: '112'
+{{% else %}}
         gid_or_name: '0'
+{{% endif %}}

I will create a PR for this.

dodys commented 6 months ago

@marcofortina thanks for reporting this. I believe this is an issue with CIS on Ubuntu 22.04 only, they seem to have already fixed it in CIS for Ubuntu 20.04. Nevertheless we can apply the fix here for both.