Ensure that /etc/cron.allow exists

An XCCDF Rule

Description

The file /etc/cron.allow should exist and should be used instead of /etc/cron.deny.

Rationale

Access to crontab should be restricted. It is easier to manage an allow list than a deny list. Therefore, /etc/cron.allow needs to be created and used instead of /etc/cron.deny. Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.

ID: xccdf_org.ssgproject.content_rule_file_cron_allow_exists
Severity: Medium
References: 4.1.1.8

CCE-86184-9
Updated: 10 months ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-86184-9
  - disable_strategy  - file_cron_allow_exists
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Add empty /etc/cron.allow
  file:
    path: /etc/cron.allow
    state: touch
    owner: '0'
    mode: '0600'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - CCE-86184-9
  - disable_strategy
  - file_cron_allow_exists
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

touch /etc/cron.allow
    chown 0 /etc/cron.allow
    chmod 0600 /etc/cron.allow
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure that /etc/cron.allow exists

Description

Rationale

Remediation - Ansible

Remediation - Shell Script