Comments (2)
Hello,
Thanks for raising the issue and I can make the change but I want to make sure I fully understand the mistake being made before the change. I have the audit from the and remediation from that control in the benchmark below. Looking at the audit output that is being used as the "good" finding it is set to 640. Then in the remediation step it has you removing write and execute from group and read/write/execute from other. Doing it by the number I think 640 is correct for those files since in the end the user perms are left with whatever, group is left with only read permissions, and other has none. Let me know if I'm mis-interpreting the control.
audit section:
Run the following command and verify Uid and Gid are both 0/root and Access, does not grant write or execute to group, and does not grant permissions to other for/etc/cron.allow: # stat /etc/cron.allow Access: (0640/-rw-r-----) Uid: ( 0/ root) Gid: ( 0/ root)
remediation section:
chmod g-wx,o-rwx /etc/cron.allow
George
from ubuntu18-cis.
Ah I see the issue, I was comparing the Distribution Independent Linux CIS Benchmark instead of the Ubuntu-specific CIS Benchmark.
In the DIL benchmark the 5.1.8 criteria requires 0600 permissions for the at/cron files, whereas in the Ubuntu benchmark the 5.1.8 criteria calls for 0640 permissions.
Not entirely sure why the difference in permissions, but AFAICT it seems that Debian/Ubuntu systems need the 640 permissions due to the crontab group needing access to read the at/cron files to properly restrict user access.
ie.
- https://bugs.launchpad.net/ubuntu/+source/bastille/+bug/55741
- https://groups.google.com/g/comp.os.linux.security/c/Z1-dOm8YegI
from ubuntu18-cis.
Related Issues (20)
- Best way to update a dictionary value of a default variable? HOT 4
- pam_pwhistory (rule 5.3.3) is added at the wrong place. HOT 1
- Ensure Lockout for Failed PW Attempts
- Update layout to match RHEL7 and 8 CIS
- `5.6 | Ensure access to the su command is restricted` tasks do not account for lines commented out in pam.d HOT 2
- `5.4.4 | Ensure default user umask is 027 or more restrictive` task assumes umask already present in bash.rc HOT 1
- When enabling ufw some sysctl settings get overridden causing CIS failures
- audit.rules not generating properly in Ubuntu 18.04 HOT 1
- Ensure Root Path Integrity HOT 1
- Task for CIS 4.1.14 checks the wrong variable in when
- `Ensure core dumps are restricted` task (1.6.4) missing changes needed in `/etc/security/limits.conf` HOT 1
- Update to Version Tagging
- `wheel` group being used for limiting su access which may not be empty HOT 3
- 2.1.15 Should install/uninstall MTAs appropriately HOT 2
- 2.1.16 - Add 'purge: yes' HOT 1
- File cis_5.5.1.x.yml is not being included HOT 1
- SSH connections break after homedir checks HOT 1
- MTA services should be removed if ubtu18cis_mail_server: false like other server vars HOT 2
- Ubuntu 18.06 Pre-audit failing HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ubuntu18-cis.