Verify Group Who Owns cron.d

An XCCDF Rule

Description

To properly set the group owner of /etc/cron.d, run the command:

$ sudo chgrp root /etc/cron.d

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

ID: xccdf_org.ssgproject.content_rule_file_groupowner_cron_d
Severity: Medium
References: 12 13 14 15 16 18 3 5

APO01.06 DSS05.04 DSS05.07 DSS06.02

4.3.3.7.3

SR 2.1 SR 5.2

A.10.1.1 A.11.1.4 A.11.1.5 A.11.2.1 A.13.1.1 A.13.1.3 A.13.2.1 A.13.2.3 A.13.2.4 A.14.1.2 A.14.1.3 A.6.1.2 A.7.1.1 A.7.1.2 A.7.3.1 A.8.2.2 A.8.2.3 A.9.1.1 A.9.1.2 A.9.2.3 A.9.4.1 A.9.4.4 A.9.4.5

AC-6(1) CM-6(a)

PR.AC-4 PR.DS-5

SRG-OS-000480-GPOS-00227

2.2 2.2.6

CCI-000366
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
find -H /etc/cron.d/ -maxdepth 1 -type d -exec chgrp -L 0 {} \;

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_cron_d
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: Ensure group owner on /etc/cron.d/
  file:
    path: /etc/cron.d/
    state: directory
    group: '0'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-AC-6(1)
  - NIST-800-53-CM-6(a)
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_cron_d
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Verify Group Who Owns cron.d

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet