5.1.8 and 5.1.9 permissions error

Wykx-Sama commented 4 months ago

Describe the Issue Hi, i noticed that the step 5.1.8 and 5.1.9 set the permissions to 600 but the CIS recommendations is to set it to 640. That is making the rule to be failed in the CIS Benchmark. Expected Behavior The expected behavior should be to set permissions to 640 insted of 600. Actual Behavior At the moment rules go to failed because of the permissions not being 640.

name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block:
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0600' when:
- rhel9cis_rule_5_1_8 tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_5.1.8
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block:
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: path: /etc/at.deny state: absent
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0600' when:
- rhel9cis_rule_5_1_9 tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_5.1.9

Possible Solution

I tested to set the permissions to 640 and it's not failed anymore

name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block:
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state
- name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0640' when:
- rhel9cis_rule_5_1_8 tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_5.1.8
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block:
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: path: /etc/at.deny state: absent
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state
- name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0640' when:
- rhel9cis_rule_5_1_9 tags:
- level1-server
- level1-workstation
- patch
- cron
- rule_5.1.9

uk-bolly commented 4 months ago

hi @Wykx-Sama

Thank you for taking the time in raising the issue and the associated PR. Going through the associated CIS documentation for these controls it provides a remediation script. Admittedly we all get things wrong occasionally, but we have been seeing an increase in issues with scanners not following documented control baselines. Out of interest which scanner are you using?

The component for both cron.allow 5.1.8 and at.allow 5.1.9 have the line (excert - larger output below)

chmod u-x,go-rwx /etc/cron.allow

which give the value 600

So it appears the scanner is not as expected.

I hope that this makes sense.

many thanks

uk-bolly

Remediation Procedure
Run the following script to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow:

#!/usr/bin/env bash

{
   if rpm -q cronie >/dev/null; then
      [ -e /etc/cron.deny ] && rm -f /etc/cron.deny
      [ ! -e /etc/cron.allow ] && touch /etc/cron.allow
      chown root:root /etc/cron.allow
      chmod u-x,go-rwx /etc/cron.allow
   else
      echo "cron is not installed on the system"
   fi
}

uk-bolly commented 2 months ago

hi @Wykx-Sama

This issue has been open for a while with no feedback. I will therefore close this. Please reopen if you feel this is still an issue with the role.

many thanks

uk-bolly

ansible-lockdown / RHEL9-CIS

5.1.8 and 5.1.9 permissions error #218