Improve rule file_permssions_crontab

This change solves problem of failing rule `file_permissions_crontab` when the `crontabs` RPM package isn't installed. This situation happens namely when builidng a CS9 bootable container image because the base image doesn't contain the crontabs RPM package. In profiles which contain rules checking permissions on files that are provided by `crontabs`, we will install the `crontabs` package by installing the `cronie` package which provides the `cron` service and has `crontabs` as dependency. This will be achieved by adding the rule `package_cron_installed` to these profiles. Notice that the `cronie` package will be installed as a result of rule `package_cron_installed` which installs either `cron` or `cronie` based on the product name. This rule is fixed by this commit because the correct package name for RHEL 9 is `cronie` as well.
ComplianceAsCode · Dec 3, 2024 · c8d0381 · c8d0381
1 parent 4c8b22c
commit c8d0381
Show file tree

Hide file tree

Showing 12 changed files with 13 additions and 2 deletions.
diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -1104,6 +1104,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
+      - package_cron_installed
       - service_crond_enabled
 
   - id: 2.4.1.2

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1099,6 +1099,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
+      - package_cron_installed
       - service_crond_enabled
 
   - id: 2.4.1.2

diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -100,6 +100,7 @@ controls:
             - package_nss-tools_installed
             - package_policycoreutils-python-utils_installed
             - package_policycoreutils_installed
+            - package_cron_installed
 
             # mount options
             - mount_option_nodev_remote_filesystems

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
@@ -958,6 +958,7 @@ controls:
             - medium
         title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
         rules:
+            - package_cron_installed
             - file_permissions_cron_d
             - file_permissions_cron_daily
             - file_permissions_cron_hourly

diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
@@ -1,4 +1,4 @@
-{{% if product in ["rhel10", "sle12", "sle15"] %}}
+{{% if product in ["rhel9", "rhel10", "sle12", "sle15"] %}}
 {{% set package_name = "cronie" %}}
 {{% else %}}
 {{% set package_name = "cron" %}}
@@ -15,6 +15,7 @@ rationale: 'The cron service allow periodic job execution, needed for almost all
 severity: medium
 
 identifiers:
+    cce@rhel9: CCE-86170-8
     cce@rhel10: CCE-86619-4
     cce@sle12: CCE-92263-3
     cce@sle15: CCE-91379-8
@@ -42,6 +43,7 @@ template:
     name: package_installed
     vars:
         pkgname: cron
+        pkgname@rhel9: cronie
         pkgname@rhel10: cronie
         pkgname@sle12: cronie
         pkgname@sle15: cronie
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
@@ -46,6 +46,7 @@ selections:
     - package_talk-server_removed
     - package_telnet_removed
     - package_telnet-server_removed
+    - package_cron_installed
     - service_crond_enabled
     - service_telnet_disabled
     - use_kerberos_security_all_exports

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,4 +1,3 @@
-CCE-86170-8
 CCE-86178-1
 CCE-86179-9
 CCE-86180-7

diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -286,6 +286,7 @@ selections:
 - package_audit_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -202,6 +202,7 @@ selections:
 - package_aide_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -199,6 +199,7 @@ selections:
 - package_aide_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -286,6 +286,7 @@ selections:
 - package_audit_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
@@ -370,6 +370,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_cron_installed
 - package_crypto-policies_installed
 - package_fapolicyd_installed
 - package_firewalld_installed