5.1.9 Ensure at is restricted to authorized users - /etc/at.deny

Information

If at is installed in the system, configure /etc/at.allow to allow specific users to use these services. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in those files is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at.

Rationale:

On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

Solution

Run the following command to remove /etc/at.deny:

# rm /etc/at.deny

Run the following command to create /etc/at.allow

# touch /etc/at.allow

Run the following commands to set the owner and permissions on /etc/at.allow:

# chown root:root /etc/at.allow

# chmod u-x,og-rwx /etc/at.allow

Additional Information:

Note: Even though a given user is not listed in at.allow, at jobs can still be run as that user. The at.allow file only controls administrative access to the at command for scheduling and modifying at jobs.

See Also

https://workbench.cisecurity.org/files/3144

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|16

Plugin: Unix

Control ID: 9e4037e2d415a2ef54a7278cd2c81b27c0d69771977d7e89d3460eba92b89444