Ensure that /etc/cron.deny does not exist

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Description

The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.

Rationale

Access to cron should be restricted. It is easier to manage an allow list than a deny list.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

#!/bin/bash

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if [[ -f  /etc/cron.deny ]]; then
        rm /etc/cron.deny
    fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Remove /etc/cron.deny
  file:
    path: /etc/cron.deny
    state: absent
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]
  tags:
  - PCI-DSSv4-2.2.6
  - disable_strategy
  - file_cron_deny_not_exist
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed