Improve rule file_permssions_crontab #12652
Conversation
jan-cerny
added
CIS
|
Start a new ephemeral environment with changes proposed in this pull request: rhel8 (from CTF) Environment (using Fedora as testing environment) Fedora Testing Environment Oracle Linux 8 Environment |
jan-cerny
force-pushed
the
file_permissions_crontabs
branch
from
7c79e12 to
ee51ec7
Compare
controls/stig_rhel9.yml
Outdated
| @@ -958,6 +958,7 @@ controls: | |||
| - medium | |||
| title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive. | |||
| rules: | |||
| - package_crontabs_installed | |||
There was a problem hiding this comment.
This isn't in the STIG. Why should be added?
See https://stigaview.com/products/rhel9/v2r2/RHEL-09-232040/
There was a problem hiding this comment.
Good point! I have changed the PR to add package_cron_installed instead.
This change solves problem of failing rule `file_permissions_crontab` when the `crontabs` RPM package isn't installed. This situation happens namely when builidng a CS9 bootable container image because the base image doesn't contain the crontabs RPM package. In profiles which contain rules checking permissions on files that are provided by `crontabs`, we will install the `crontabs` package by installing the `cronie` package which provides the `cron` service and has `crontabs` as dependency. This will be achieved by adding the rule `package_cron_installed` to these profiles. Notice that the `cronie` package will be installed as a result of rule `package_cron_installed` which installs either `cron` or `cronie` based on the product name. This rule is fixed by this commit because the correct package name for RHEL 9 is `cronie` as well.
jan-cerny
force-pushed
the
file_permissions_crontabs
branch
from
ee51ec7 to
c8d0381
Compare
|
I have removed the new rule from this PR. I have changed the PR to add package_cron_installed instead. I have rebased this PR on the top of the latest upstream master branch. |
|
This datastream diff is auto generated by the check Click here to see the full diffNew content has different text for rule 'xccdf_org.ssgproject.content_rule_package_cron_installed'.
--- xccdf_org.ssgproject.content_rule_package_cron_installed
+++ xccdf_org.ssgproject.content_rule_package_cron_installed
@@ -39,6 +39,9 @@
DSS06.06
[reference]:
+CCI-000366
+
+[reference]:
164.308(a)(4)(i)
[reference]:
@@ -217,6 +220,9 @@
[reference]:
PR.PT-3
+
+[reference]:
+SRG-OS-000480-GPOS-00227
[rationale]:
The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only. |
|
Code Climate has analyzed commit d06fa13 and detected 0 issues on this pull request. The test coverage on the diff in this pull request is 100.0% (50% is the threshold). This pull request will bring the total coverage in the repository to 60.9% (0.0% change). View more on Code Climate. |
|
Waving Automatus tests since they are not applicable to containers. |
This change solves problem of failing rule
file_permissions_crontabwhen the
crontabsRPM package isn't installed. This situation happensnamely when builidng a CS9 bootable container image because the
base image doesn't contain the crontabs RPM package.
In profiles which contain rules checking permissions on files that are
provided by
crontabs, we will install thecrontabspackage byinstalling the
croniepackage which provides thecronservice andhas
crontabsas dependency. This will be achieved by adding the rulepackage_cron_installedto these profiles.Notice that the
croniepackage will be installed as a result of rulepackage_cron_installedwhich installs eithercronorcroniebased on the product name. This rule is fixed by this commit because
the correct package name for RHEL 9 is
cronieas well.Review Hints:
Build and boot a CS 9 bootable container image hardened with STIG profile. Then, run a verification scan of the running VM.