2.4.2.1 Ensure at is restricted to authorized users

Audit

- IF - at is installed on the system: Run the following command to verify /etc/at.allow: - Exists - Is mode 0640 or more restrictive - Is owned by the user root - Is group owned by the group daemon or group root

# stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/at.allow
Access: (640/-rw-r-----) Owner: (root) Group: (daemon)
-OR-
Access: (640/-rw-r-----) Owner: (root) Group: (root)

Verify mode is 640 or more restrictive, owner is root, and group is daemon or root Run the following command to verify at.deny doesn't exist, -OR- is: - Mode 0640 or more restrictive - Owned by the user root - Group owned by the group daemon or group root

# [ -e "/etc/at.deny" ] && stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/at.deny
Access: (640/-rw-r-----) Owner: (root) Group: (daemon)
-OR-
Access: (640/-rw-r-----) Owner: (root) Group: (root)
-OR-
Nothing is returned

If a value is returned, verify mode is 640 or more restrictive, owner is root, and group is daemon or root

Remediation

- IF - at is installed on the system: Run the following script to: - /etc/at.deny - Create the file if it doesn't exist - Change owner or user root - If group daemon exists, change to group daemon, else change group to root - Change mode to 640 or more restrictive - - IF - /etc/at.deny exists: - Change owner or user root - If group daemon exists, change to group daemon, else change group to root - Change mode to 640 or more restrictive

Run the following command to create /etc/at.allow

#!/usr/bin/env bash
{
grep -Pq -- '^daemon\b' /etc/group && l_group="daemon" || l_group="root"
[ ! -e "/etc/at.allow" ] && touch /etc/at.allow
chown root:"$l_group" /etc/at.allow
chmod u-x,g-wx,o-rwx /etc/at.allow
[ -e "/etc/at.deny" ] && chown root:"$l_group" /etc/at.deny
[ -e "/etc/at.deny" ] && chmod u-x,g-wx,o-rwx /etc/at.deny
}