Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Incorrect permissions with 5.1.8 | Ensure at/cron is restricted to authorized users task #26

Closed
jrbeilke opened this issue Apr 8, 2021 · 2 comments
Closed

Incorrect permissions with 5.1.8 | Ensure at/cron is restricted to authorized users task #26

jrbeilke opened this issue Apr 8, 2021 · 2 comments

Comments

@jrbeilke
Copy link

jrbeilke commented Apr 8, 2021

The task for this CIS criteria changes the cron file permissions to 0640 when they should be 0600 instead

      - name: "SCORED | 5.1.8 | PATCH | Ensure at/cron is restricted to authorized users | Create allow files"
        file:
            path: "{{ item }}"
            owner: root
            group: root
            mode: 0640
            state: touch
        with_items:
            - /etc/cron.allow
            - /etc/at.allow

Audit:
Run the following command and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other for both /etc/cron.allow and /etc/at.allow :

stat /etc/cron.allow

Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)

stat /etc/at.allow

Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
@georgenalen
Copy link
Contributor

Hello,
Thanks for raising the issue and I can make the change but I want to make sure I fully understand the mistake being made before the change. I have the audit from the and remediation from that control in the benchmark below. Looking at the audit output that is being used as the "good" finding it is set to 640. Then in the remediation step it has you removing write and execute from group and read/write/execute from other. Doing it by the number I think 640 is correct for those files since in the end the user perms are left with whatever, group is left with only read permissions, and other has none. Let me know if I'm mis-interpreting the control.

audit section:
Run the following command and verify Uid and Gid are both 0/root and Access, does not grant write or execute to group, and does not grant permissions to other for/etc/cron.allow: # stat /etc/cron.allow Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)

remediation section:
chmod g-wx,o-rwx /etc/cron.allow

George

@jrbeilke
Copy link
Author

Ah I see the issue, I was comparing the Distribution Independent Linux CIS Benchmark instead of the Ubuntu-specific CIS Benchmark.

In the DIL benchmark the 5.1.8 criteria requires 0600 permissions for the at/cron files, whereas in the Ubuntu benchmark the 5.1.8 criteria calls for 0640 permissions.

Not entirely sure why the difference in permissions, but AFAICT it seems that Debian/Ubuntu systems need the 640 permissions due to the crontab group needing access to read the at/cron files to properly restrict user access.

ie.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jrbeilke @georgenalen