Merge pull request #11185 from Mab879/add_cron_deny_rules

Add cron.deny Owership Rules
ComplianceAsCode · Oct 10, 2023 · 7398d6a · 7398d6a
2 parents b968c46 + def2fe2
commit 7398d6a
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 2 deletions.
diff --git a/components/cronie.yml b/components/cronie.yml
@@ -8,6 +8,8 @@ rules:
 - disable_anacron
 - file_at_deny_not_exist
 - file_cron_deny_not_exist
+- file_owner_cron_deny
+- file_groupowner_cron_deny
 - file_groupowner_at_allow
 - file_groupowner_cron_allow
 - file_groupowner_cron_d

diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -64,6 +64,8 @@ controls:
             - file_permissions_ungroupowned
             - dir_perms_world_writable_root_owned
             - no_files_unowned_by_user
+            - file_owner_cron_deny
+            - file_groupowner_cron_deny
 
             # service disabled
             # - service_rngd_enabled - this rule was removed because it does bring questionable value on modern systems

diff --git a/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_groupowner_cron_deny/rule.yml
@@ -0,0 +1,39 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Verify Group Who Owns cron.deny'
+
+description: |-
+    {{{ describe_file_group_owner(file="/etc/cron.deny", group="root") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective services that if configured incorrectly
+    can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
+    correct group to prevent unauthorized changes.
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86537-8
+
+
+references:
+    disa: CCI-000366
+    nist: CM-6 b
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.deny", group="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_group_owner(file="/etc/cron.deny", group="root") }}}
+
+fixtext: '{{{ fixtext_file_group_owner(file="/etc/cron.deny/", group="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_group_owner(file="/etc/cron.deny", group="root") }}}'
+
+template:
+    name: file_groupowner
+    vars:
+        filepath: /etc/cron.deny
+        gid_or_name: '0'
diff --git a/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml b/linux_os/guide/services/cron_and_at/file_owner_cron_deny/rule.yml
@@ -0,0 +1,41 @@
+documentation_complete: true
+
+prodtype: rhel9
+
+title: 'Verify Owner on cron.deny'
+
+description: |-
+    {{{ describe_file_owner(file="/etc/cron.deny", owner="root") }}}
+
+rationale: |-
+    Service configuration files enable or disable features of their respective services that if configured incorrectly
+    can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the
+    correct user to prevent unauthorized changes.
+
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86887-7
+
+references:
+    disa: CCI-000366
+    nist: CM-6 b
+    srg: SRG-OS-000480-GPOS-00227
+
+
+ocil_clause: '{{{ ocil_clause_file_owner(file="/etc/cron.deny", owner="root") }}}'
+
+ocil: |-
+    {{{ ocil_file_owner(file="/etc/cron.deny", owner="root") }}}
+
+fixtext: '{{{ fixtext_file_owner(file="/etc/cron.deny/", owner="root") }}}'
+
+srg_requirement: '{{{ srg_requirement_file_owner(file="/etc/cron.deny", owner="root") }}}'
+
+template:
+    name: file_owner
+    vars:
+        filepath: /etc/cron.deny
+        fileuid: '0'
+
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -253,7 +253,6 @@ CCE-86528-7
 CCE-86530-3
 CCE-86535-2
 CCE-86536-0
-CCE-86537-8
 CCE-86538-6
 CCE-86539-4
 CCE-86540-2
@@ -509,7 +508,6 @@ CCE-86880-2
 CCE-86881-0
 CCE-86882-8
 CCE-86886-9
-CCE-86887-7
 CCE-86888-5
 CCE-86889-3
 CCE-86890-1