GEN003470 - The at.allow file must be group-owned by system, bin, sys, or cron.

Information

If the group-owner of the at.allow file is not set to system, bin, sys, or cron, unauthorized users could be allowed to view or edit the list of users permitted to run at jobs. Unauthorized modification could result in Denial of Service to authorized at users or provide unauthorized users with the ability to run at jobs.

Solution

Change the group owner of the at.allow file to sys, system, bin, or cron.
Procedure:
# chgrp cron /var/adm/cron/at.allow

See Also

http://iasecontent.disa.mil/stigs/zip/U_STIG_Library_2015_07.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6, CAT|II, CCI|CCI-000225, Rule-ID|SV-39354r1_rule, STIG-ID|GEN003470, Vuln-ID|V-22397

Plugin: Unix

Control ID: 6bc1a3b5c55b148ec2b442d575ae5f4d212cb4762af84a529d156367e7ce1c46