5.5 Services - at access is root only - root exists in at.allow

Information

This change creates an at.allow file with a root user entry and removes the at.deny file, if it exists.

Rationale:

This ensures that only the root user has the ability to schedule jobs through the at command. A hacker may exploit use of at to execute programs or processes automatically. Limiting access to the root account only reduces this risk.

Solution

Create the /var/adm/cron/at.allow file and remove /var/adm/cron/at.deny (if it exists):

echo 'root' > /var/adm/cron/at.allow
rm /var/adm/cron/at.deny

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

References: 800-53|SI-16, CSCv7|8.3

Plugin: Unix

Control ID: bceb2278f0b4dd4d88f2bc397de49cf4cec6a21e3efef6d8bf23d58bc0ac1cc7