From b0211e8c4f86be6ba9a531fcd08984f663c0c85d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20=C4=8Cern=C3=BD?= Date: Fri, 10 Jan 2025 14:59:04 +0100 Subject: [PATCH] Fix failing file_permissions_crontab The rule `file_permissions_crontab` fails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of `/etc/crontab` is `0640` but the rule expects the mode of this file should be `0600`. The rule passed during the container image build process because the file `/etc/crontab` didn't exist. The root cause is that the `cronie` RPM package that provides `/etc/crontab` is neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rule `package_cron_installed` to the profile which will install the `cronie` package before `oscap` and then it will change the `/etc/crontab` mode during remediation. --- controls/pcidss_4.yml | 1 + tests/data/profile_stability/rhel9/pci-dss.profile | 1 + 2 files changed, 2 insertions(+) diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml index 17b688dfab6a..267ee78d4182 100644 --- a/controls/pcidss_4.yml +++ b/controls/pcidss_4.yml @@ -500,6 +500,7 @@ controls: - file_permissions_cron_allow - file_groupowner_crontab - file_owner_crontab + - package_cron_installed - file_permissions_crontab - file_groupowner_cron_d - file_owner_cron_d diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile index aae368bafba7..861bbae835e0 100644 --- a/tests/data/profile_stability/rhel9/pci-dss.profile +++ b/tests/data/profile_stability/rhel9/pci-dss.profile @@ -198,6 +198,7 @@ selections: - package_audispd-plugins_installed - package_audit_installed - package_chrony_installed +- package_cron_installed - package_cryptsetup-luks_installed - package_dhcp_removed - package_firewalld_installed