Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problem with rule "Verify Group Who Owns /etc/cron.allow file" #11898

Closed
marcofortina opened this issue Apr 26, 2024 · 2 comments · Fixed by #11899
Closed

Problem with rule "Verify Group Who Owns /etc/cron.allow file" #11898

marcofortina opened this issue Apr 26, 2024 · 2 comments · Fixed by #11899
Assignees
@dodys
Labels
Ubuntu Ubuntu product related.

Comments

@marcofortina
Copy link
Contributor

Description of problem:

Following remediation script for this rule, will produce an error on user allowed to run cron.

SCAP Security Guide Version:

master branch

Operating System Version:

Ubuntu 22.04 LTS

Steps to Reproduce:

  1. Set permissions on /etc/cron.allow:
root@ubuntu:~# chown root:root /etc/cron.allow 
root@ubuntu:~# chmod u-x,g-wx,o-rwx /etc/cron.allow

root@ubuntu:~# stat /etc/cron.allow
  File: /etc/cron.allow
  Size: 0         	Blocks: 0          IO Block: 4096   regular empty file
Device: fd00h/64768d	Inode: 132969      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2024-04-25 23:39:20.627379836 +0000
Modify: 2024-04-25 23:39:20.627379836 +0000
Change: 2024-04-26 10:55:41.546259651 +0000
 Birth: 2024-04-25 23:39:20.627379836 +0000
  1. Execute the oscap check for this rule:
root@ubuntu:~# oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis_level2_server --rule xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow ssg-ubuntu2204-ds.xml

Title   Verify Group Who Owns /etc/cron.allow file
Rule    xccdf_org.ssgproject.content_rule_file_groupowner_cron_allow
Result  pass
  1. Allow ubuntu user to run cron:
root@ubuntu:~# cat /etc/cron.allow
ubuntu
  1. As user ubuntu try to edit its own crontab:
root@ubuntu:~# su - ubuntu
ubuntu@ubuntu:~$ crontab -l
/etc/cron.allow: Permission denied
You (ubuntu) are not allowed to use this program (crontab)
See crontab(1) for more information

Additional Information/Debugging Steps:

File /etc/cron.allow should be owned by the group crontab:

root@ubuntu:~# chgrp crontab /etc/cron.allow
root@ubuntu:~# stat /etc/cron.allow
  File: /etc/cron.allow
  Size: 7         	Blocks: 8          IO Block: 4096   regular file
Device: fd00h/64768d	Inode: 133448      Links: 1
Access: (0640/-rw-r-----)  Uid: (    0/    root)   Gid: (  112/ crontab)
Access: 2024-04-26 10:59:03.022526578 +0000
Modify: 2024-04-26 10:58:58.678522461 +0000
Change: 2024-04-26 11:03:44.074679809 +0000
 Birth: 2024-04-26 10:58:58.678522461 +0000
root@ubuntu:~# su - ubuntu
ubuntu@ubuntu:~$ crontab -l
no crontab for ubuntu

Ticket 21619 was also opened to CIS WorkBench community.
@marcofortina
Copy link
Contributor Author

I did some tests and it seams this should fix this issue:

diff --git a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
index d7ba7b7b18..031c7bfbd3 100644
--- a/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
+++ b/linux_os/guide/services/cron_and_at/restrict_at_cron_users/file_groupowner_cron_allow/rule.yml
@@ -3,12 +3,18 @@ documentation_complete: true
 
 title: 'Verify Group Who Owns /etc/cron.allow file'
 
+{{% if "ubuntu" in product %}}
+    {{% set target_group="crontab" %}}
+{{% else %}}
+    {{% set target_group="root" %}}
+{{% endif %}}
+
 description: |-
-    If <tt>/etc/cron.allow</tt> exists, it must be group-owned by <tt>root</tt>.
-    {{{ describe_file_group_owner(file="/etc/cron.allow", group="root") }}}
+    If <tt>/etc/cron.allow</tt> exists, it must be group-owned by <tt>target_group</tt>.
+    {{{ describe_file_group_owner(file="/etc/cron.allow", group=target_group) }}}
 
 rationale: |-
-    If the owner of the cron.allow file is not set to root, the possibility exists for an
+    If the owner of the cron.allow file is not set to target_group, the possibility exists for an
     unauthorized user to view or edit sensitive information.
 
 severity: medium
@@ -37,14 +43,18 @@ references:
     stigid@ol7: OL07-00-021120
     stigid@rhel7: RHEL-07-021120
 
-ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.allow", group="root") }}}'
+ocil_clause: '{{{ ocil_clause_file_group_owner(file="/etc/cron.allow", group=target_group) }}}'
 
 ocil: |-
-    {{{ ocil_file_group_owner(file="/etc/cron.allow", group="root") }}}
+    {{{ ocil_file_group_owner(file="/etc/cron.allow", group=target_group) }}}
 
 template:
     name: file_groupowner
     vars:
         filepath: /etc/cron.allow
         missing_file_pass: 'true'
+{{% if "ubuntu" in product %}}
+        gid_or_name: '112'
+{{% else %}}
         gid_or_name: '0'
+{{% endif %}}

I will create a PR for this.

marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11898 issue
f588860
marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11898 issue
ef22ba6
@dodys
Copy link
Contributor

dodys commented Apr 26, 2024

@marcofortina thanks for reporting this. I believe this is an issue with CIS on Ubuntu 22.04 only, they seem to have already fixed it in CIS for Ubuntu 20.04.
Nevertheless we can apply the fix here for both.

@dodys dodys added the Ubuntu Ubuntu product related. label Apr 26, 2024
@dodys dodys self-assigned this Apr 26, 2024
@marcofortina marcofortina mentioned this issue Apr 26, 2024
Merged
marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11898 issue
f559e56
marcofortina added a commit to marcofortina/scap-security-guide that referenced this issue Apr 26, 2024
@marcofortina
Fix ComplianceAsCode#11898 issue
f810eff
dodys added a commit that referenced this issue Apr 29, 2024
@dodys
Merge pull request #11899 from marcofortina/fix_11898
a4491f0 
Fix #11898 issue
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dodys dodys

Labels
Ubuntu Ubuntu product related.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix #11898 issue marcofortina/scap-security-guide
2 participants
@dodys @marcofortina