Verify Group Who Owns /etc/at.allow file

An XCCDF Rule

Description

If /etc/at.allow exists, it must be group-owned by root. To properly set the group owner of /etc/at.allow, run the command:

$ sudo chgrp root /etc/at.allow

Rationale

If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

ID: xccdf_org.ssgproject.content_rule_file_groupowner_at_allow
Severity: Medium
References: 2.2 2.2.6

5.1.9

CCE-91685-8
Updated: about 1 month ago

Remediation Templates

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then
chgrp 0 /etc/at.allow

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91685-8
  - PCI-DSSv4-2.2  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_at_allow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
- name: Test for existence /etc/at.allow
  stat:
    path: /etc/at.allow
  register: file_exists
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91685-8
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_at_allow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner 0 on /etc/at.allow
  file:
    path: /etc/at.allow
    group: '0'
  when:
  - '"kernel-default" in ansible_facts.packages'
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - CCE-91685-8
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_groupowner_at_allow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

Verify Group Who Owns /etc/at.allow file

Description

Rationale

Remediation Templates

A Shell Script

An Ansible Snippet