diff --git a/components/cronie.yml b/components/cronie.yml index 07e01029537..e2d66b5c383 100644 --- a/components/cronie.yml +++ b/components/cronie.yml @@ -36,6 +36,7 @@ rules: - file_permissions_cron_weekly - file_permissions_crontab - package_cron_installed +- package_crontabs_installed - service_atd_disabled - service_cron_enabled - service_crond_enabled diff --git a/components/crontabs.yml b/components/crontabs.yml index bb86c806940..6aa8a8b5a8f 100644 --- a/components/crontabs.yml +++ b/components/crontabs.yml @@ -2,6 +2,7 @@ name: crontabs packages: - crontabs rules: +- package_crontabs_installed - file_groupowner_cron_daily - file_groupowner_cron_hourly - file_groupowner_cron_monthly diff --git a/controls/cis_rhel10.yml b/controls/cis_rhel10.yml index 825328bc289..55de06a0a9e 100644 --- a/controls/cis_rhel10.yml +++ b/controls/cis_rhel10.yml @@ -1104,6 +1104,7 @@ controls: - l1_workstation status: automated rules: + - package_cron_installed - service_crond_enabled - id: 2.4.1.2 diff --git a/controls/cis_rhel9.yml b/controls/cis_rhel9.yml index 9004c842663..05a3e4ac356 100644 --- a/controls/cis_rhel9.yml +++ b/controls/cis_rhel9.yml @@ -1099,6 +1099,7 @@ controls: - l1_workstation status: automated rules: + - package_cron_installed - service_crond_enabled - id: 2.4.1.2 diff --git a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml index fd92d3a410f..563206e28ae 100644 --- a/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml +++ b/controls/srg_gpos/SRG-OS-000480-GPOS-00227.yml @@ -100,6 +100,7 @@ controls: - package_nss-tools_installed - package_policycoreutils-python-utils_installed - package_policycoreutils_installed + - package_crontabs_installed # mount options - mount_option_nodev_remote_filesystems diff --git a/controls/stig_rhel9.yml b/controls/stig_rhel9.yml index b7197b06aa2..5f8d8c1bed7 100644 --- a/controls/stig_rhel9.yml +++ b/controls/stig_rhel9.yml @@ -958,6 +958,7 @@ controls: - medium title: RHEL 9 cron configuration directories must have a mode of 0700 or less permissive. rules: + - package_crontabs_installed - file_permissions_cron_d - file_permissions_cron_daily - file_permissions_cron_hourly diff --git a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml index b984b731cf8..5423ff2a970 100644 --- a/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml +++ b/linux_os/guide/services/cron_and_at/package_cron_installed/rule.yml @@ -1,4 +1,4 @@ -{{% if product in ["rhel10", "sle12", "sle15"] %}} +{{% if product in ["rhel9", "rhel10", "sle12", "sle15"] %}} {{% set package_name = "cronie" %}} {{% else %}} {{% set package_name = "cron" %}} @@ -15,6 +15,7 @@ rationale: 'The cron service allow periodic job execution, needed for almost all severity: medium identifiers: + cce@rhel9: CCE-86170-8 cce@rhel10: CCE-86619-4 cce@sle12: CCE-92263-3 cce@sle15: CCE-91379-8 @@ -42,6 +43,7 @@ template: name: package_installed vars: pkgname: cron + pkgname@rhel9: cronie pkgname@rhel10: cronie pkgname@sle12: cronie pkgname@sle15: cronie diff --git a/linux_os/guide/services/cron_and_at/package_crontabs_installed/rule.yml b/linux_os/guide/services/cron_and_at/package_crontabs_installed/rule.yml new file mode 100644 index 00000000000..f220bcc4ab7 --- /dev/null +++ b/linux_os/guide/services/cron_and_at/package_crontabs_installed/rule.yml @@ -0,0 +1,26 @@ +documentation_complete: true + +title: 'Install The Crontabs Package' + +description: 'The crontabs package should be installed.' + +rationale: 'The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.' + +severity: medium + +identifiers: + cce@rhel9: CCE-86178-1 + cce@rhel10: CCE-86179-9 + +references: + srg: SRG-OS-000480-GPOS-00227 + +ocil_clause: 'the package is installed' + +ocil: |- + {{{ ocil_package("crontabs") }}} + +template: + name: package_installed + vars: + pkgname: crontabs diff --git a/products/rhel9/profiles/hipaa.profile b/products/rhel9/profiles/hipaa.profile index 01d79b55298..7f0b11fd190 100644 --- a/products/rhel9/profiles/hipaa.profile +++ b/products/rhel9/profiles/hipaa.profile @@ -46,6 +46,7 @@ selections: - package_talk-server_removed - package_telnet_removed - package_telnet-server_removed + - package_cron_installed - service_crond_enabled - service_telnet_disabled - use_kerberos_security_all_exports diff --git a/shared/references/cce-redhat-avail.txt b/shared/references/cce-redhat-avail.txt index 84d491ea662..cb8c8a541e8 100644 --- a/shared/references/cce-redhat-avail.txt +++ b/shared/references/cce-redhat-avail.txt @@ -1,6 +1,3 @@ -CCE-86170-8 -CCE-86178-1 -CCE-86179-9 CCE-86180-7 CCE-86181-5 CCE-86186-4 diff --git a/tests/data/profile_stability/rhel9/cis.profile b/tests/data/profile_stability/rhel9/cis.profile index badf096b9a3..138a9d96ab8 100644 --- a/tests/data/profile_stability/rhel9/cis.profile +++ b/tests/data/profile_stability/rhel9/cis.profile @@ -286,6 +286,7 @@ selections: - package_audit_installed - package_bind_removed - package_chrony_installed +- package_cron_installed - package_cyrus-imapd_removed - package_dhcp_removed - package_dnsmasq_removed diff --git a/tests/data/profile_stability/rhel9/cis_server_l1.profile b/tests/data/profile_stability/rhel9/cis_server_l1.profile index cb60e30b300..3e7d0f72dbc 100644 --- a/tests/data/profile_stability/rhel9/cis_server_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_server_l1.profile @@ -202,6 +202,7 @@ selections: - package_aide_installed - package_bind_removed - package_chrony_installed +- package_cron_installed - package_cyrus-imapd_removed - package_dhcp_removed - package_dnsmasq_removed diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile index 8ddf27758a7..9fb9d48d2c2 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l1.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l1.profile @@ -199,6 +199,7 @@ selections: - package_aide_installed - package_bind_removed - package_chrony_installed +- package_cron_installed - package_cyrus-imapd_removed - package_dhcp_removed - package_dnsmasq_removed diff --git a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile index 60fab32147e..cf88a4aa98f 100644 --- a/tests/data/profile_stability/rhel9/cis_workstation_l2.profile +++ b/tests/data/profile_stability/rhel9/cis_workstation_l2.profile @@ -286,6 +286,7 @@ selections: - package_audit_installed - package_bind_removed - package_chrony_installed +- package_cron_installed - package_cyrus-imapd_removed - package_dhcp_removed - package_dnsmasq_removed diff --git a/tests/data/profile_stability/rhel9/stig.profile b/tests/data/profile_stability/rhel9/stig.profile index 397624e7db3..b2c9e028147 100644 --- a/tests/data/profile_stability/rhel9/stig.profile +++ b/tests/data/profile_stability/rhel9/stig.profile @@ -370,6 +370,7 @@ selections: - package_audispd-plugins_installed - package_audit_installed - package_chrony_installed +- package_crontabs_installed - package_crypto-policies_installed - package_fapolicyd_installed - package_firewalld_installed diff --git a/tests/data/profile_stability/rhel9/stig_gui.profile b/tests/data/profile_stability/rhel9/stig_gui.profile index b7bc4d0ba18..ce29f8d3ee0 100644 --- a/tests/data/profile_stability/rhel9/stig_gui.profile +++ b/tests/data/profile_stability/rhel9/stig_gui.profile @@ -381,6 +381,7 @@ selections: - package_audispd-plugins_installed - package_audit_installed - package_chrony_installed +- package_crontabs_installed - package_crypto-policies_installed - package_fapolicyd_installed - package_firewalld_installed