Verify User Who Owns /etc/at.allow file

An XCCDF Rule

Description

If /etc/at.allow exists, it must be owned by root. To properly set the owner of /etc/at.allow, run the command:

$ sudo chown root /etc/at.allow

Rationale

If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

ID: xccdf_org.ssgproject.content_rule_file_owner_at_allow
Severity: Medium
References: 2.2 2.2.6

5.1.9
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6  - configure_strategy
  - file_owner_at_allow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /etc/at.allow
  stat:
    path: /etc/at.allow
  register: file_exists
  when: '"kernel" in ansible_facts.packages'
  tags:
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_owner_at_allow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure owner 0 on /etc/at.allow
  file:
    path: /etc/at.allow
    owner: '0'
  when:
  - '"kernel" in ansible_facts.packages'
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - configure_strategy
  - file_owner_at_allow
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}
' 'kernel' 2>/dev/null | grep -q installed; then

chown 0 /etc/at.allow
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Verify User Who Owns /etc/at.allow file

Description

Rationale

Remediation - Ansible

Remediation - Shell Script