uk-bolly
commented
1 month ago hi @Wykx-Sama
Thank you for taking the time in raising the issue and the associated PR. Going through the associated CIS documentation for these controls it provides a remediation script. Admittedly we all get things wrong occasionally, but we have been seeing an increase in issues with scanners not following documented control baselines. Out of interest which scanner are you using?
The component for both cron.allow 5.1.8 and at.allow 5.1.9 have the line (excert - larger output below)
chmod u-x,go-rwx /etc/cron.allowwhich give the value 600
So it appears the scanner is not as expected.
I hope that this makes sense.
many thanks
uk-bolly
Remediation Procedure
Run the following script to remove /etc/cron.deny, create /etc/cron.allow, and set the file mode on /etc/cron.allow:
#!/usr/bin/env bash
{
if rpm -q cronie >/dev/null; then
[ -e /etc/cron.deny ] && rm -f /etc/cron.deny
[ ! -e /etc/cron.allow ] && touch /etc/cron.allow
chown root:root /etc/cron.allow
chmod u-x,go-rwx /etc/cron.allow
else
echo "cron is not installed on the system"
fi
}
Describe the Issue Hi, i noticed that the step 5.1.8 and 5.1.9 set the permissions to 600 but the CIS recommendations is to set it to 640. That is making the rule to be failed in the CIS Benchmark. Expected Behavior The expected behavior should be to set permissions to 640 insted of 600. Actual Behavior At the moment rules go to failed because of the permissions not being 640.
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block:
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0600' when:
rhel9cis_rule_5_1_8 tags:
level1-server
level1-workstation
patch
cron
rule_5.1.8
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block:
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: path: /etc/at.deny state: absent
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0600' when:
rhel9cis_rule_5_1_9 tags:
level1-server
level1-workstation
patch
cron
rule_5.1.9
Possible Solution
I tested to set the permissions to 640 and it's not failed anymore
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users" block:
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Remove cron.deny" ansible.builtin.file: path: /etc/cron.deny state: absent
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Check if cron.allow exists" ansible.builtin.stat: path: "/etc/cron.allow" register: rhel9cis_5_1_8_cron_allow_state
name: "5.1.8 | PATCH | Ensure cron is restricted to authorized users | Ensure cron.allow is restricted to authorized users" ansible.builtin.file: path: /etc/cron.allow state: '{{ "file" if rhel9cis_5_1_8_cron_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0640' when:
rhel9cis_rule_5_1_8 tags:
level1-server
level1-workstation
patch
cron
rule_5.1.8
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users" block:
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Remove at.deny" ansible.builtin.file: path: /etc/at.deny state: absent
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Check if at.allow exists" ansible.builtin.stat: path: "/etc/at.allow" register: rhel9cis_5_1_9_at_allow_state
name: "5.1.9 | PATCH | Ensure at is restricted to authorized users | Ensure at.allow is restricted to authorized users" ansible.builtin.file: path: /etc/at.allow state: '{{ "file" if rhel9cis_5_1_9_at_allow_state.stat.exists else "touch" }}' owner: root group: root mode: '0640' when:
rhel9cis_rule_5_1_9 tags:
level1-server
level1-workstation
patch
cron
rule_5.1.9