Detections
Analytics

2.4.2.1 Ensure at is restricted to authorized users

Information

at allows fairly complex time specifications, extending the POSIX.2 standard. It accepts times of the form HH:MM to run a job at a specific time of day. (If that time is already past, the next day is assumed.) You may also specify midnight, noon, or teatime (4pm) and you can have a time-of-day suffixed with AM or PM for running in the morning or the evening. You can also say what day the job will be run, by giving a date in the form month-name day with an optional year, or giving a date of the form MMDD[CC]YY, MM/DD/[CC]YY, DD.MM.[CC]YY or [CC]YY-MM-DD. The specification of a date must follow the specification of the time of day. You can also give times like now + count time-units, where the time-units can be minutes, hours, days, or weeks and you can tell at to run the job today by suffixing the time with today and to run the job tomorrow by suffixing the time with tomorrow.

The /etc/at.allow and /etc/at.deny files determine which user can submit commands for later execution via at or batch. The format of the files is a list of usernames, one on each line. Whitespace is not permitted. If the file /etc/at.allow exists, only usernames mentioned in it are allowed to use at. If /etc/at.allow does not exist, /etc/at.deny is checked, every username not mentioned in it is then allowed to use at. An empty /etc/at.deny means that every user may use at. If neither file exists, only the superuser is allowed to use at.

On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

Solution

- IF - at is installed on the system:

Run the following script to:

 - /etc/at.allow :
 - Create the file if it doesn't exist
 - Change owner or user root
 - If group daemon exists, change to group daemon else change group to root
 - Change mode to 640 or more restrictive

 - - IF - /etc/at.deny exists:
 - Change owner or user root
 - If group daemon exists, change to group daemon else change group to root
 - Change mode to 640 or more restrictive

#!/usr/bin/env bash

{
 grep -Pq -- '^daemonb' /etc/group && l_group="daemon" || l_group="root"
 [ ! -e "/etc/at.allow" ] && touch /etc/at.allow
 chown root:"$l_group" /etc/at.allow
 chmod u-x,g-wx,o-rwx /etc/at.allow
 [ -e "/etc/at.deny" ] && chown root:"$l_group" /etc/at.deny
 [ -e "/etc/at.deny" ] && chmod u-x,g-wx,o-rwx /etc/at.deny
}

See Also

https://workbench.cisecurity.org/benchmarks/18208

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 98ed1dc22e21f3d56ffb9e8ac6f57038b045b9cc6ee63c5b39ec3494a0085d37