Merge pull request #12711 from ericeberry/u2404_2421

Ubuntu 24.04 2.4.2.1 Ensure at is restricted to authorized users

components/cronie.yml

@@ -6,12 +6,14 @@ packages:
 - cronie
 rules:
 - disable_anacron
+- file_at_allow_exists
 - file_at_deny_not_exist
 - file_cron_allow_exists
 - file_cron_deny_not_exist
 - file_owner_cron_deny
 - file_groupowner_cron_deny
 - file_groupowner_at_allow
+- file_groupowner_at_deny
 - file_groupowner_cron_allow
 - file_groupowner_cron_d
 - file_groupowner_cron_daily
@@ -20,6 +22,7 @@ rules:
 - file_groupowner_cron_weekly
 - file_groupowner_crontab
 - file_owner_at_allow
+- file_owner_at_deny
 - file_owner_cron_allow
 - file_owner_cron_d
 - file_owner_cron_daily
@@ -28,6 +31,7 @@ rules:
 - file_owner_cron_weekly
 - file_owner_crontab
 - file_permissions_at_allow
+- file_permissions_at_deny
 - file_permissions_cron_allow
 - file_permissions_cron_d
 - file_permissions_cron_daily

controls/cis_ubuntu2404.yml

@@ -1091,14 +1091,18 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    related_rules:
-      - file_at_deny_not_exist
+    rules:
+      - file_at_allow_exists
       - file_groupowner_at_allow
       - file_owner_at_allow
       - file_permissions_at_allow
-    status: planned
-    notes: TODO. Partial/incorrect implementation exists.See related rules. Analogous to ubuntu2204/5.1.9.
-
+      - file_groupowner_at_deny
+      - file_owner_at_deny
+      - file_permissions_at_deny
+    status: automated
+    notes: file_owner_at_deny and file_owner_at_allow currently require root as owner
+           and don't accept daemon
+
   - id: 3.1.1
     title: Ensure IPv6 status is identified (Manual)
     levels:

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/rule.yml

@@ -0,0 +1,32 @@
+documentation_complete: true
+
+
+title: Ensure that /etc/at.allow exists
+
+description: |-
+    The file <tt>/etc/at.allow</tt> should exist and should be used instead
+    of <tt>/etc/at.deny</tt>.
+
+rationale: |-
+    Using the at.allow file to control who can run at jobs enforces this who can schedule jobs.
+    It is easier to manage an allow list than a deny list. 
+
+severity: medium
+
+ocil_clause: 'the file /etc/at.allow does not exist'
+
+ocil: |-
+    The file <tt>/etc/at.allow</tt> should exist.
+    This can be checked by running the following command:
+    <pre>
+    stat /etc/at.allow
+    </pre>
+    and the output should list the file.
+
+template:
+    name: file_existence
+    vars:
+        filepath: /etc/at.allow
+        exists: true
+        fileuid: "0"
+        filemode: "0640"

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/dne.fail.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+rm -rf /etc/at.allow

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_at_allow_exists/tests/exists.pass.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+touch /etc/at.allow

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_at_deny/rule.yml

@@ -0,0 +1,24 @@
+documentation_complete: true
+
+title: 'Verify Group Who Owns /etc/at.deny file'
+
+description: |-
+    If <tt>/etc/at.deny</tt> exists, it must be group-owned by <tt>root</tt>.
+    {{{ describe_file_group_owner(file="/etc/at.deny", group="root") }}}
+
+rationale: |-
+    If the owner of the at.deny file is not set to root, the possibility exists for an
+    unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/at.deny", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/at.deny", group="root") }}}
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/at.deny
+        gid_or_name: '0'

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_owner_at_deny/rule.yml

@@ -0,0 +1,26 @@
+documentation_complete: true
+
+
+title: 'Verify User Who Owns /etc/at.deny file'
+
+description: |-
+    If <tt>/etc/at.deny</tt> exists, it must be owned by <tt>root</tt>.
+    {{{ describe_file_owner(file="/etc/at.deny", owner="root") }}}
+
+rationale: |-
+    If the owner of the at.deny file is not set to root, the possibility exists for an
+    unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/at.deny", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/at.deny", owner="root") }}}
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/at.deny
+        fileuid: '0'

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/rule.yml

@@ -0,0 +1,34 @@
+documentation_complete: true
+
+title: 'Verify Permissions on /etc/at.deny file'
+
+{{%  if 'rhel' not in product %}}
+    {{% set target_perms_octal="0640" %}}
+    {{% set target_perms="-rw-r-----" %}}
+{{% else %}}
+    {{% set target_perms_octal="0600" %}}
+    {{% set target_perms="-rw-------" %}}
+{{% endif %}}
+
+description: |-
+    If <tt>/etc/at.deny</tt> exists, it must have permissions <tt>{{{ target_perms_octal }}}</tt>
+    or more restrictive.
+
+    {{{ describe_file_permissions(file="/etc/at.deny", perms=target_perms_octal) }}}
+
+rationale: |-
+    If the permissions of the at.deny file are not set to {{{ target_perms_octal }}} or more restrictive,
+    the possibility exists for an unauthorized user to view or edit sensitive information.
+
+severity: medium
+
+ocil_clause: '{{{ ocil_clause_file_permissions(file="/etc/at.deny", perms=target_perms) }}}'
+
+ocil: |-
+    {{{ ocil_file_permissions(file="/etc/at.deny", perms=target_perms) }}}
+
+template:
+    name: file_permissions
+    vars:
+        filepath: /etc/at.deny
+        filemode: '{{{ target_perms_octal }}}'

linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_permissions_at_deny/tests/missing_file_test.pass.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+#
+
+rm -f /etc/at.deny