Verify Group Who Owns cron.deny
An XCCDF Rule
Description
To properly set the group owner of /etc/cron.deny
, run the command:
$ sudo chgrp root /etc/cron.deny
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
- ID
- xccdf_org.ssgproject.content_rule_file_groupowner_cron_deny
- Severity
- Medium
- Updated
Remediation - Ansible
- name: Test for existence /etc/cron.deny
stat:
path: /etc/cron.deny
register: file_exists
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
tags:
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
chgrp 0 /etc/cron.deny
else