Fix failing file_permissions_crontab

The rule `file_permissions_crontab` fails in a scan performed after deployment of a CentOS Stream 9 bootable container image hardened with the PCI-DSS profile. The HTML report shows that the mode of `/etc/crontab` is `0640` but the rule expects the mode of this file should be `0600`. The rule passed during the container image build process because the file `/etc/crontab` didn't exist. The root cause is that the `cronie` RPM package that provides `/etc/crontab` is neither present in the CS 9 base image nor it's installed as a dependency of the PCI-DSS profile. We will fix this problem by including the rule `package_cron_installed` to the profile which will install the `cronie` package before `oscap` and then it will change the `/etc/crontab` mode during remediation.
ComplianceAsCode · Jan 10, 2025 · 2a2daf9 · 2a2daf9
1 parent 04c056a
commit 2a2daf9
Show file tree

Hide file tree

Showing 5 changed files with 5 additions and 2 deletions.
diff --git a/controls/pcidss_4.yml b/controls/pcidss_4.yml
@@ -500,6 +500,7 @@ controls:
         - file_permissions_cron_allow
         - file_groupowner_crontab
         - file_owner_crontab
+        - package_cron_installed
         - file_permissions_crontab
         - file_groupowner_cron_d
         - file_owner_cron_d

diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
@@ -1,4 +1,4 @@
-{{% if product in ["rhel9", "rhel10", "sle12", "sle15"] %}}
+{{% if product in ["rhel8", "rhel9", "rhel10", "sle12", "sle15"] %}}
 {{% set package_name = "cronie" %}}
 {{% else %}}
 {{% set package_name = "cron" %}}
@@ -15,6 +15,7 @@ rationale: 'The cron service allow periodic job execution, needed for almost all
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86178-1
     cce@rhel9: CCE-86170-8
     cce@rhel10: CCE-86619-4
     cce@sle12: CCE-92263-3

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-86178-1
 CCE-86179-9
 CCE-86180-7
 CCE-86186-4

diff --git a/tests/data/profile_stability/rhel8/pci-dss.profile b/tests/data/profile_stability/rhel8/pci-dss.profile
@@ -201,6 +201,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_cron_installed
 - package_dhcp_removed
 - package_firewalld_installed
 - package_ftp_removed

diff --git a/tests/data/profile_stability/rhel9/pci-dss.profile b/tests/data/profile_stability/rhel9/pci-dss.profile
@@ -198,6 +198,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_cron_installed
 - package_cryptsetup-luks_installed
 - package_dhcp_removed
 - package_firewalld_installed