Ensure that /etc/at.deny does not exist

An XCCDF Rule

Description

The file /etc/at.deny should not exist. Use /etc/at.allow instead.

Rationale

Access to at should be restricted. It is easier to manage an allow list than a deny list.

ID: xccdf_org.ssgproject.content_rule_file_at_deny_not_exist
Severity: Medium
References: 2.2 2.2.6

5.1.9

CCE-91313-7
Updated: over 1 year ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - CCE-91313-7
  - PCI-DSSv4-2.2  - PCI-DSSv4-2.2.6
  - disable_strategy
  - file_at_deny_not_exist
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Remove /etc/at.deny
  file:
    path: /etc/at.deny
    state: absent
  when: '"kernel-default" in ansible_facts.packages'
  tags:
  - CCE-91313-7
  - PCI-DSSv4-2.2
  - PCI-DSSv4-2.2.6
  - disable_strategy
  - file_at_deny_not_exist
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel-default; then

if [[ -f  /etc/at.deny ]]; then
        rm /etc/at.deny
    fi
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure that /etc/at.deny does not exist

Description

Rationale

Remediation - Ansible

Remediation - Shell Script