Add new rule file_cron_allow_exists

Add new rule file_cron_allow_exists and add it to CIS profiles because the CIS RHEL Benchmark requires the file /etc/cron.allow to exist. The other rules within the control that check the ownership and permissions on /etc/cron.allow are passing if this file doesn't exist. The file doesn't exist by default. To ensure the file exists, we add a new rule that creates it. Resolves: https://issues.redhat.com/browse/RHEL-1314
jan-cerny · Jan 11, 2024 · 2c99c95 · 2c99c95
1 parent 24b9960
commit 2c99c95
Show file tree

Hide file tree

Showing 8 changed files with 51 additions and 3 deletions.
diff --git a/components/cronie.yml b/components/cronie.yml
@@ -7,6 +7,7 @@ packages:
 rules:
 - disable_anacron
 - file_at_deny_not_exist
+- file_cron_allow_exists
 - file_cron_deny_not_exist
 - file_owner_cron_deny
 - file_groupowner_cron_deny

diff --git a/controls/cis_rhel7.yml b/controls/cis_rhel7.yml
@@ -1749,6 +1749,7 @@ controls:
     status: automated
     rules:
     - file_groupowner_cron_allow
+    - file_cron_allow_exists
     - file_owner_cron_allow
     - file_cron_deny_not_exist
     - file_permissions_cron_allow

diff --git a/controls/cis_rhel8.yml b/controls/cis_rhel8.yml
@@ -1954,6 +1954,7 @@ controls:
     status: automated
     rules:
       - file_cron_deny_not_exist
+      - file_cron_allow_exists
       - file_groupowner_cron_allow
       - file_owner_cron_allow
       - file_permissions_cron_allow

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1800,6 +1800,7 @@ controls:
     status: automated
     rules:
       - file_cron_deny_not_exist
+      - file_cron_allow_exists
       - file_groupowner_cron_allow
       - file_owner_cron_allow
       - file_permissions_cron_allow

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/rule.yml
@@ -0,0 +1,43 @@
+documentation_complete: true
+
+prodtype: rhel7,rhel8,rhel9
+
+title: Ensure that /etc/cron.allow exists
+
+description: |-
+    The file <tt>/etc/cron.allow</tt> should exist and should be used instead
+    of <tt>/etc/cron.deny</tt>.
+
+rationale: |-
+    Access to <tt>crontab</tt> should be restricted.
+    It is easier to manage an allow list than a deny list.
+    Therefore, <tt>/etc/cron.allow</tt> needs to be created and used instead of <tt>/etc/cron.deny</tt>.
+    Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.
+
+severity: medium
+
+identifiers:
+    cce@rhel7: CCE-86183-1
+    cce@rhel8: CCE-86184-9
+    cce@rhel9: CCE-86185-6
+
+references:
+    cis@rhel7: 5.1.8
+    cis@rhel8: 5.1.8
+    cis@rhel9: 5.1.8
+
+ocil_clause: 'the file /etc/cron.allow does not exist'
+
+ocil: |-
+    The file <tt>/etc/cron.allow</tt> should exist.
+    This can be checked by running the following command:
+    <pre>
+    stat /etc/cron.allow
+    </pre>
+    and the output should list the file.
+
+template:
+    name: file_existence
+    vars:
+        filepath: /etc/cron.allow
+        exists: true
diff --git a/...uide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/dne.fail.sh b/...uide/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/dne.fail.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+rm -rf /etc/cron.allow
diff --git a/...e/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/exists.pass.sh b/...e/services/cron_and_at/restrict_at_cron_users/file_cron_allow_exists/tests/exists.pass.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+touch /etc/cron.allow
diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -33,9 +33,6 @@ CCE-86178-1
 CCE-86179-9
 CCE-86180-7
 CCE-86181-5
-CCE-86183-1
-CCE-86184-9
-CCE-86185-6
 CCE-86186-4
 CCE-86187-2
 CCE-86188-0