Skip to content

Disable At Service (atd)

An XCCDF Rule

Description

The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command:

$ sudo systemctl mask --now atd.service

Rationale

The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common.

ID
xccdf_org.ssgproject.content_rule_service_atd_disabled
Severity
Medium
References
Updated



Remediation - Ansible

- name: Disable At Service (atd) - Collect systemd Services Present in the System
  ansible.builtin.command: systemctl -q list-unit-files --type service
  register: service_exists
  changed_when: false
  failed_when: service_exists.rc not in [0, 1]
  check_mode: false

Remediation - OS Build Blueprint


[customizations.services]
masked = ["atd"]

Remediation - Puppet

include disable_atd

class disable_atd {
  service {'atd':
    enable => false,
    ensure => 'stopped',