5.1.9 Ensure at is restricted to authorized users - '/etc/at.deny'

Information

Configure /etc/at.allow to allow specific users to use this service. If /etc/at.allow does not exist, then /etc/at.deny is checked. Any user not specifically defined in this file is allowed to use at. By removing the file, only users in /etc/at.allow are allowed to use at.

Note: Other methods, such as systemd timers, exist for scheduling jobs. If another method is used, at should be removed, and the alternate method should be secured in accordance with local site policy

Rationale:

On many systems, only the system administrator is authorized to schedule at jobs. Using the at.allow file to control who can run at jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

Solution

Run the following commands to remove /etc/at.deny:

# rm /etc/at.deny

Run the following command to create /etc/at.allow

# touch /etc/at.allow

Run the following commands to set permissions and ownership for /etc/at.allow:

# chmod g-wx,o-rwx /etc/at.allow

# chown root:root /etc/at.allow

See Also

https://workbench.cisecurity.org/files/3219

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-3, CSCv7|14.6

Plugin: Unix

Control ID: e2171cf209bd4b4891b9ab00ad957cca5d30ceb141ddae3ac60141313885a1ec