Verify Group Who Owns cron.daily
An XCCDF Rule
Description
To properly set the group owner of /etc/cron.daily
, run the command:
$ sudo chgrp root /etc/cron.daily
Rationale
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
- ID
- xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then
find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \;
else
Remediation - Ansible
- name: Ensure group owner on /etc/cron.daily/
file:
path: /etc/cron.daily/
state: directory
group: '0'
when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]