Improve rule file_permssions_crontab

This change solves problem of failing rule `file_permissions_crontab` when the `crontabs` RPM package isn't installed. This situation happens namely when builidng a CS9 bootable container image because the base image doesn't contain the crontabs RPM package. In profiles which contain rule `service_crond_enabled` we will install the `crontabs` package by installing the `cronie` package which provides that service and has `crontabs` as dependency. This will be achived by adding the rule `package_cron_installed` to these profiles. In profiles which don't contain rule `service_crond_enabled` but still contain `file_permssions_crontabs` we will include the new rule `package_crontabs_installed`. Notice the the `cronie` package will be installed as a result of rule `package_cron_installed` which installs either `cron` or `cronie` based on the product name. This rule is fixed by this commit because the correct package name for RHEL 9 is `cronie` as well.
ComplianceAsCode · Nov 29, 2024 · ee51ec7 · ee51ec7
1 parent 6c8c2c8
commit ee51ec7
Show file tree

Hide file tree

Showing 16 changed files with 42 additions and 4 deletions.
diff --git a/components/cronie.yml b/components/cronie.yml
@@ -36,6 +36,7 @@ rules:
 - file_permissions_cron_weekly
 - file_permissions_crontab
 - package_cron_installed
+- package_crontabs_installed
 - service_atd_disabled
 - service_cron_enabled
 - service_crond_enabled
diff --git a/components/crontabs.yml b/components/crontabs.yml
@@ -2,6 +2,7 @@ name: crontabs
 packages:
 - crontabs
 rules:
+- package_crontabs_installed
 - file_groupowner_cron_daily
 - file_groupowner_cron_hourly
 - file_groupowner_cron_monthly

diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml
@@ -1104,6 +1104,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
+      - package_cron_installed
       - service_crond_enabled
 
   - id: 2.4.1.2

diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml
@@ -1099,6 +1099,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
+      - package_cron_installed
       - service_crond_enabled
 
   - id: 2.4.1.2

diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml
@@ -100,6 +100,7 @@ controls:
             - package_nss-tools_installed
             - package_policycoreutils-python-utils_installed
             - package_policycoreutils_installed
+            - package_crontabs_installed
 
             # mount options
             - mount_option_nodev_remote_filesystems

diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml
@@ -958,6 +958,7 @@ controls:
             - medium
         title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive.
         rules:
+            - package_crontabs_installed
             - file_permissions_cron_d
             - file_permissions_cron_daily
             - file_permissions_cron_hourly

diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml
@@ -1,4 +1,4 @@
-{{% if product in ["rhel10", "sle12", "sle15"] %}}
+{{% if product in ["rhel9", "rhel10", "sle12", "sle15"] %}}
 {{% set package_name = "cronie" %}}
 {{% else %}}
 {{% set package_name = "cron" %}}
@@ -15,6 +15,7 @@ rationale: 'The cron service allow periodic job execution, needed for almost all
 severity: medium
 
 identifiers:
+    cce@rhel9: CCE-86170-8
     cce@rhel10: CCE-86619-4
     cce@sle12: CCE-92263-3
     cce@sle15: CCE-91379-8
@@ -42,6 +43,7 @@ template:
     name: package_installed
     vars:
         pkgname: cron
+        pkgname@rhel9: cronie
         pkgname@rhel10: cronie
         pkgname@sle12: cronie
         pkgname@sle15: cronie
diff --git a/linux_os/guide/services/cron_and_at/package_crontabs_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_crontabs_installed/rule.yml
@@ -0,0 +1,26 @@
+documentation_complete: true
+
+title: 'Install The Crontabs Package'
+
+description: 'The crontabs package should be installed.'
+
+rationale: 'The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.'
+
+severity: medium
+
+identifiers:
+    cce@rhel9: CCE-86178-1
+    cce@rhel10: CCE-86179-9
+
+references:
+    srg: SRG-OS-000480-GPOS-00227
+
+ocil_clause: 'the package is installed'
+
+ocil: |-
+    {{{ ocil_package("crontabs") }}}
+
+template:
+    name: package_installed
+    vars:
+        pkgname: crontabs
diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile
@@ -46,6 +46,7 @@ selections:
     - package_talk-server_removed
     - package_telnet_removed
     - package_telnet-server_removed
+    - package_cron_installed
     - service_crond_enabled
     - service_telnet_disabled
     - use_kerberos_security_all_exports

diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt
@@ -1,6 +1,3 @@
-CCE-86170-8
-CCE-86178-1
-CCE-86179-9
 CCE-86180-7
 CCE-86181-5
 CCE-86186-4

diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile
@@ -286,6 +286,7 @@ selections:
 - package_audit_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile
@@ -202,6 +202,7 @@ selections:
 - package_aide_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile
@@ -199,6 +199,7 @@ selections:
 - package_aide_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile
@@ -286,6 +286,7 @@ selections:
 - package_audit_installed
 - package_bind_removed
 - package_chrony_installed
+- package_cron_installed
 - package_cyrus-imapd_removed
 - package_dhcp_removed
 - package_dnsmasq_removed

diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile
@@ -370,6 +370,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_crontabs_installed
 - package_crypto-policies_installed
 - package_fapolicyd_installed
 - package_firewalld_installed

diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile
@@ -381,6 +381,7 @@ selections:
 - package_audispd-plugins_installed
 - package_audit_installed
 - package_chrony_installed
+- package_crontabs_installed
 - package_crypto-policies_installed
 - package_fapolicyd_installed
 - package_firewalld_installed