このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Description
The at
and batch
commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd
keeps track of tasks scheduled via
at
and batch
, and executes them at the specified time.
The atd
service can be disabled with the following command:
$ sudo systemctl disable atd.service
Rationale
The atd
service could be used by an unsophisticated insider to carry
out activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with at
or
batch
is not common.
Shell script
The following script can be run on the host to remediate the issue.
#!/bin/bash
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" stop 'atd.service'
"$SYSTEMCTL_EXEC" disable 'atd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL_EXEC" list-unit-files | grep -q '^atd.socket\>' && "$SYSTEMCTL_EXEC" disable 'atd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL_EXEC" reset-failed 'atd.service'
Ansible playbook
The following playbook can be run with Ansible to remediate the issue.
- name: Disable service atd
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: service_result
failed_when: "service_result is failed and ('Could not find the requested service' not in service_result.msg)"
with_items:
- atd
tags:
- service_atd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- NIST-800-53-CM-7
- name: Disable socket of service atd if applicable
service:
name: "{{item}}"
enabled: "no"
state: "stopped"
register: socket_result
failed_when: "socket_result is failed and ('Could not find the requested service' not in socket_result.msg)"
with_items:
- atd.socket
tags:
- service_atd_disabled
- unknown_severity
- disable_strategy
- low_complexity
- low_disruption
- NIST-800-53-CM-7