Defined Type: linux_secured::validators::cron_is_restricted_to_authorized_users

Defined in:
manifests/validators/cron_is_restricted_to_authorized_users.pp

Summary

Puppet validators are Puppet defined types that inspect the system and reports when the systems deviates from the specified security control.

Overview

linux_secured::validators::cron_is_restricted_to_authorized_users

These Puppet defined types make *NO changes to you system, they only report deviations.

## Desription

If ‘cron` is installed in the system, configure `/etc/cron.allow` to allow specific users to use these services. If `/etc/cron.allow` does not exist, then `/etc/cron.deny` is checked. Any user not specifically defined in those files is allowed to use cron. By removing the file, only users in `/etc/cron.allow` are allowed to use `cron`.

Note: Even though a given user is not listed in cron.allow, ‘cron` jobs can still be run as that user. The `cron.allow` file only controls administrative access to the crontab command for scheduling and modifying `cron` jobs.

## Rationale

On many systems, only the system administrator is authorized to schedule ‘cron` jobs. Using the `cron.allow` file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

## Skipping

To deliberately skip this control (e.g. meaning don’t use Puppet to enforce this setting), we provide you with two ways:

1) Add ‘linux_secured::validators::cron_is_restricted_to_authorized_users: skip` to your hiera data. This will skip this control for ALL systems. 3) Add an entry with the content `cron_is_restricted_to_authorized_users` to the array value `linux_secured::skip_list` in your hiera data.

## Excelent Compliance Solution.

Puppet is an excellent solution to ensure your systems are CIS or STIG compliant. Now you’re looking at information about only one compliance control, but managing total compliance isn’t hard either!

If you you like he prospect of easy way into continuous compliancy with minimal fuss and bother, we suggest taking a look at [our solution](/docs/linux_secured/description.html) as your go-to option. Plus, our team can help you get up and running so that you can focus on other areas of your business. What are you waiting for? [Get started today!](/company/contact/)

## Benchmarks

This control is used in the following benchmarks:

  • [Oracle Linux 8 CIS V2.0.0](/docs/linux_secured/cis/oraclelinux8_V2.0.0.html) - paragraph 5.1.8

  • [RedHat Enterprise Linux 8 CIS V2.0.0](/docs/linux_secured/cis/redhat_el8_V2.0.0.html) - paragraph 5.1.8

See the file “LICENSE” for the full license governing this code.

Parameters:

  • title

    The system identifier to apply the control to. All controls need an system identifier to apply the control to. Here is a simple example: “‘ puppet linux_secured::controls::control_name { ’host’:} “‘ Althoug for `linux_secured` you can put anything in there, it is recommended that yuou use the string `host`.

  • skip (Boolean) (defaults to: linux_secured::lookup_setting('skip', false))
  • report_as (String[1]) (defaults to: linux_secured::lookup_setting('report_as', 'warning')) 


61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
# File 'manifests/validators/cron_is_restricted_to_authorized_users.pp', line 61

define linux_secured::validators::cron_is_restricted_to_authorized_users (
  Boolean   $skip = linux_secured::lookup_setting('skip', false),
  String[1] $report_as = linux_secured::lookup_setting('report_as', 'warning'),
) {
  # lint:ignore:strict_indent
  $script = @(SCRIPT)
    #!/usr/bin/env bash

    cron_chk()
    {
      if rpm -q cronie >/dev/null; then
          [ -e /etc/cron.deny ] && echo "Fail: cron.deny exists"
          if [ ! -e /etc/cron.allow ]; then 
            echo "Fail: cron.allow doesn't exist"
          else
            ! stat -Lc "%a" /etc/cron.allow | grep -Eq "[0,2,4,6]00" && echo "Fail: cron.allow mode too permissive"
            ! stat -Lc "%u:%g" /etc/cron.allow | grep -Eq "^0:0$" && echo "Fail: cron.allow owner and/or group not root"
          fi
          if [ ! -e /etc/cron.deny ] && [ -e /etc/cron.allow ] && stat -Lc "%a" /etc/cron.allow | grep -Eq "[0,2,4,6]00" \
            && stat -Lc "%u:%g" /etc/cron.allow | grep -Eq "^0:0$"; then
            echo "Pass"
          fi
      else
          echo "Pass: cron is not installed on the system"
      fi
    }
    cron_chk
    | SCRIPT
  # lint:endignore:strict_indent

  linux_secured_setup { "cron_is_restricted_to_authorized_users validation on ${title}":
    ensure => 'present',
  }

  -> validation { "cron is restricted to authorized users on ${title}":
    check           => "bash ${script}",
    path            => ['/usr/sbin/', '/usr/bin'],
    expected_output => /Pass/,
    report_as       => $report_as,
    skip            => $skip,
    control         => easy_type::current_control(),
    fail_message    => "cron should be restricted to authorized users on ${title}, but it is NOT",
  }
}