Merge pull request #12652 from jan-cerny/file_permissions_crontabs

Improve rule file_permssions_crontab
ComplianceAsCode · Dec 10, 2024 · b3b1560 · b3b1560
2 parents dddbdd5 + d06fa13
commit b3b1560
Show file tree

Hide file tree

Showing 13 changed files with 16 additions and 2 deletions.
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -1104,6 +1104,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
+      - package_cron_installed
       - service_crond_enabled
 
   - id: 2.4.1.2

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1099,6 +1099,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
+      - package_cron_installed
       - service_crond_enabled
 
   - id: 2.4.1.2

diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -100,6 +100,7 @@ controls:
             - package_nss-tools_installed
             - package_policycoreutils-python-utils_installed
             - package_policycoreutils_installed
+            - package_cron_installed
 
             # mount options
             - mount_option_nodev_remote_filesystems

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
@@ -958,6 +958,7 @@ controls:
             - medium
         title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
         rules:
+            - package_cron_installed
             - file_permissions_cron_d
             - file_permissions_cron_daily
             - file_permissions_cron_hourly

diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
@@ -1,4 +1,4 @@
-{{% if product in ["rhel10", "sle12", "sle15"] %}}
+{{% if product in ["rhel9", "rhel10", "sle12", "sle15"] %}}
 {{% set package_name = "cronie" %}}
 {{% else %}}
 {{% set package_name = "cron" %}}
@@ -15,6 +15,7 @@ rationale: 'The cron service allow periodic job execution, needed for almost all
 severity: medium
 
 identifiers:
+    cce@rhel9: CCE-86170-8
     cce@rhel10: CCE-86619-4
     cce@sle12: CCE-92263-3
     cce@sle15: CCE-91379-8
@@ -26,12 +27,14 @@ references:
     cis@ubuntu2004: 5.1.1
     cis@ubuntu2204: 5.1.1
     cobit5: BAI10.01,BAI10.02,BAI10.03,BAI10.05,DSS05.02,DSS05.05,DSS06.06
+    disa: CCI-000366
     hipaa: 164.308(a)(4)(i),164.308(b)(1),164.308(b)(3),164.310(b),164.312(e)(1),164.312(e)(2)(ii)
     isa-62443-2009: 4.3.3.5.1,4.3.3.5.2,4.3.3.5.3,4.3.3.5.4,4.3.3.5.5,4.3.3.5.6,4.3.3.5.7,4.3.3.5.8,4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9,4.3.3.7.1,4.3.3.7.2,4.3.3.7.3,4.3.3.7.4,4.3.4.3.2,4.3.4.3.3
     isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.11,SR 1.12,SR 1.13,SR 1.2,SR 1.3,SR 1.4,SR 1.5,SR 1.6,SR 1.7,SR 1.8,SR 1.9,SR 2.1,SR 2.2,SR 2.3,SR 2.4,SR 2.5,SR 2.6,SR 2.7,SR 7.6'
     iso27001-2013: A.12.1.2,A.12.5.1,A.12.6.2,A.14.2.2,A.14.2.3,A.14.2.4,A.9.1.2
     nist: CM-6(a)
     nist-csf: PR.IP-1,PR.PT-3
+    srg: SRG-OS-000480-GPOS-00227
 
 ocil_clause: 'the package is installed'
 
@@ -42,6 +45,7 @@ template:
     name: package_installed
     vars:
         pkgname: cron
+        pkgname@rhel9: cronie
         pkgname@rhel10: cronie
         pkgname@sle12: cronie
         pkgname@sle15: cronie
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
@@ -46,6 +46,7 @@ selections:
     - package_talk-server_removed
     - package_telnet_removed
     - package_telnet-server_removed
+    - package_cron_installed
     - service_crond_enabled
     - service_telnet_disabled
     - use_kerberos_security_all_exports

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-86170-8
 CCE-86178-1
 CCE-86179-9
 CCE-86180-7

diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -286,6 +286,7 @@ selections:
 - package_audit_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -202,6 +202,7 @@ selections:
 - package_aide_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -199,6 +199,7 @@ selections:
 - package_aide_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -286,6 +286,7 @@ selections:
 - package_audit_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
@@ -370,6 +370,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_cron_installed
 - package_crypto-policies_installed
 - package_fapolicyd_installed
 - package_firewalld_installed

diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -381,6 +381,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_cron_installed
 - package_crypto-policies_installed
 - package_fapolicyd_installed
 - package_firewalld_installed