Skip to content

Commit

Permalink
Fix failing file_permissions_crontab
Browse files Browse the repository at this point in the history 
The rule `file_permissions_crontab` fails in a scan performed after
deployment of a CentOS Stream 9 bootable container image hardened
with the PCI-DSS profile. The HTML report shows that the mode of
`/etc/crontab` is `0640` but the rule expects the mode of this
file should be `0600`. The rule passed during the container image
build process because the file `/etc/crontab` didn't exist. The root
cause is that the `cronie` RPM package that provides `/etc/crontab`
is neither present in the CS 9 base image nor it's installed as
a dependency of the PCI-DSS profile. We will fix this problem
by including the rule `package_cron_installed` to the profile
which will install the `cronie` package before `oscap` and then
it will change the `/etc/crontab` mode during remediation.
  • Loading branch information
@jan-cerny
jan-cerny committed Jan 10, 2025
1 parent 04c056a commit b0211e8
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 0 deletions.
1 change: 1 addition & 0 deletions controls/pcidss_4.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -500,6 +500,7 @@ controls:
- file_permissions_cron_allow
- file_groupowner_crontab
- file_owner_crontab
- package_cron_installed
- file_permissions_crontab
- file_groupowner_cron_d
- file_owner_cron_d
Expand Down
1 change: 1 addition & 0 deletions tests/data/profile_stability/rhel9/pci-dss.profile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -198,6 +198,7 @@ selections:
- package_audispd-plugins_installed
- package_audit_installed
- package_chrony_installed
- package_cron_installed
- package_cryptsetup-luks_installed
- package_dhcp_removed
- package_firewalld_installed
Expand Down

0 comments on commit b0211e8

Please sign in to comment.