Description of problem:
Following remediation script for this rule, will produce an error on user allowed to run cron.
SCAP Security Guide Version:
master branch
Operating System Version:
Ubuntu 22.04 LTS
Steps to Reproduce:
- Set permissions on /etc/cron.allow:
root@ubuntu:~# chown root:root /etc/cron.allow
root@ubuntu:~# chmod u-x,g-wx,o-rwx /etc/cron.allow
root@ubuntu:~# stat /etc/cron.allow
File: /etc/cron.allow
Size: 0 Blocks: 0 IO Block: 4096 regular empty file
Device: fd00h/64768d Inode: 132969 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2024-04-25 23:39:20.627379836 +0000
Modify: 2024-04-25 23:39:20.627379836 +0000
Change: 2024-04-26 10:55:41.546259651 +0000
Birth: 2024-04-25 23:39:20.627379836 +0000
- Execute the oscap check for this rule:
root@ubuntu:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow ssg-ubuntu2204-ds.xml
Title Verify Group Who Owns /etc/cron.allow file
Rule xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
Result pass
- Allow
ubuntu user to run cron:
root@ubuntu:~# cat /etc/cron.allow
ubuntu
- As user ubuntu try to edit its own crontab:
root@ubuntu:~# su - ubuntu
ubuntu@ubuntu:~$ crontab -l
/etc/cron.allow: Permission denied
You (ubuntu) are not allowed to use this program (crontab)
See crontab(1) for more information
Additional Information/Debugging Steps:
File /etc/cron.allow should be owned by the group crontab:
root@ubuntu:~# chgrp crontab /etc/cron.allow
root@ubuntu:~# stat /etc/cron.allow
File: /etc/cron.allow
Size: 7 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 133448 Links: 1
Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 112/ crontab)
Access: 2024-04-26 10:59:03.022526578 +0000
Modify: 2024-04-26 10:58:58.678522461 +0000
Change: 2024-04-26 11:03:44.074679809 +0000
Birth: 2024-04-26 10:58:58.678522461 +0000
root@ubuntu:~# su - ubuntu
ubuntu@ubuntu:~$ crontab -l
no crontab for ubuntu
Ticket 21619 was also opened to CIS WorkBench community.
Description of problem:
Following remediation script for this rule, will produce an error on user allowed to run cron.
SCAP Security Guide Version:
master branch
Operating System Version:
Ubuntu 22.04 LTS
Steps to Reproduce:
ubuntuuser to run cron:Additional Information/Debugging Steps:
File /etc/cron.allow should be owned by the group
crontab:Ticket 21619 was also opened to CIS WorkBench community.