Ensure that /etc/cron.deny does not exist

An XCCDF Rule

Description

The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.

Rationale

Access to cron should be restricted. It is easier to manage an allow list than a deny list.

ID: xccdf_org.ssgproject.content_rule_file_cron_deny_not_exist
Severity: Medium
References: 2.2.6

CCE-86849-7

4.1.1.8
Updated: about 1 year ago

- name: Remove /etc/cron.deny
  file:
    path: /etc/cron.deny
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:  - CCE-86849-7
  - PCI-DSSv4-2.2.6
  - disable_strategy
  - file_cron_deny_not_exist
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [[ -f  /etc/cron.deny ]]; then
        rm /etc/cron.deny
    fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi