[Forgot Password]
Login  Register Subscribe

30479

 
 

423868

 
 

248392

 
 

909

 
 

195452

 
 

282

 
Paid content will be excluded from the download.


Download | Alert*
CCE
view XML

CCE-95420-6

Platform: cpe:/o:amazon:linux:2, cpe:/o:centos:centos:7, cpe:/o:oracle:linux:7, cpe:/o:oracle:linux:8, cpe:/o:redhat:enterprise_linux:7, cpe:/o:redhat:enterprise_linux:8, cpe:/o:redhat:enterprise_linux:9Date: (C)2021-03-05   (M)2023-07-04



Description: Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services. If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at and cron. Note that even though a given user is not listed in cron.allow , cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Rationale: On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files. Audit: Run the following commands and ensure /etc/cron.deny and /etc/at.deny do not exist: # stat /etc/cron.deny stat: cannot stat `/etc/cron.deny': No such file or directory # stat /etc/at.deny stat: cannot stat `/etc/at.deny': No such file or directory Run the following command and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other for both /etc/cron.allow and /etc/at.allow : # stat /etc/cron.allow Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) # stat /etc/at.allow Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root) Remediation: Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow : # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow


Parameter:

[yes/no]


Technical Mechanism:

Run the following commands to remove /etc/cron.deny and /etc/at.deny and create and set permissions and ownership for /etc/cron.allow and /etc/at.allow : # rm /etc/cron.deny # rm /etc/at.deny # touch /etc/cron.allow # touch /etc/at.allow # chmod og-rwx /etc/cron.allow # chmod og-rwx /etc/at.allow # chown root:root /etc/cron.allow # chown root:root /etc/at.allow

CCSS Severity:CCSS Metrics:
CCSS Score : 5.3Attack Vector: LOCAL
Exploit Score: 1.8Attack Complexity: LOW
Impact Score: 3.4Privileges Required: LOW
Severity: MEDIUMUser Interaction: NONE
Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:LScope: UNCHANGED
 Confidentiality: LOW
 Integrity: LOW
 Availability: LOW
  

References:
Resource IdReference
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:72971
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:68571
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:72031
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:84271
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:72866
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:72397
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:72657
SCAP Repo OVAL Definitionoval:org.secpod.oval:def:72760
OVAL    8
oval:org.secpod.oval:def:84271
oval:org.secpod.oval:def:72866
oval:org.secpod.oval:def:72657
oval:org.secpod.oval:def:72397
...
XCCDF    8
xccdf_org.secpod_benchmark_general_Amazon_Linux_AMI
xccdf_org.secpod_benchmark_general_CENTOS_7
xccdf_org.secpod_benchmark_general_RHEL_8
xccdf_org.secpod_benchmark_general_OEL_8
...

© SecPod Technologies