STIGQter STIGQter: STIG Summary: Solaris 11 SPARC Security Technical Implementation Guide Version: 2 Release: 3 Benchmark Date: 23 Apr 2021:

Unauthorized use of the at or cron capabilities must not be permitted.

DISA Rule

SV-216360r603267_rule

Vulnerability Number

V-216360

Group Title

SRG-OS-000480

Rule Version

SOL-11.1-040420

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

The root role is required.

Modify the cron configuration files.

# mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp
# mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp

Skip the remaining steps only if using the “solaris.jobs.user” RBAC role.

# echo root > /etc/cron.d/cron.allow
# cp /dev/null /etc/cron.d/at.allow
# chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow
# chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow

Check Contents

Check that "at" and "cron" users are configured correctly.

# ls /etc/cron.d/cron.deny

If cron.deny exists, this is a finding.

# ls /etc/cron.d/at.deny

If at.deny exists, this is a finding.

# cat /etc/cron.d/cron.allow

cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC.

If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding.

# wc -l /etc/cron.d/at.allow | awk '{ print $1 }'

If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.

Vulnerability Number

V-216360

Documentable

False

Rule Version

SOL-11.1-040420

Severity Override Guidance

Check that "at" and "cron" users are configured correctly.

# ls /etc/cron.d/cron.deny

If cron.deny exists, this is a finding.

# ls /etc/cron.d/at.deny

If at.deny exists, this is a finding.

# cat /etc/cron.d/cron.allow

cron.allow should have a single entry for "root", or the cron.allow file is removed if using RBAC.

If any accounts other than root that are listed and they are not properly documented with the IA staff, this is a finding.

# wc -l /etc/cron.d/at.allow | awk '{ print $1 }'

If the output is non-zero, this is a finding, or the at.allow file is removed if using RBAC.

Check Content Reference

M

Target Key

4022

Comments