---
title: Verify Group Who Owns /etc/at.deny file
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: Docs > Datadog Security > OOTB Rules > Verify Group Who Owns /etc/at.deny file
---

# Verify Group Who Owns /etc/at.deny file
 
## Description{% #description %}

If `/etc/at.deny` exists, it must be group-owned by `root`. To properly set the group owner of `/etc/at.deny`, run the command:

```
$ sudo chgrp root /etc/at.deny
```

## Rationale{% #rationale %}

If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

## Remediation{% #remediation %}

### Shell script{% #shell-script %}

The following script can be run on the host to remediate the issue.

```bash
#!/bin/bash

# Remediation is applicable only in certain platforms
if dpkg-query --show --showformat='${db:Status-Status}' 'linux-base' 2>/dev/null | grep -q '^installed$'; then

newgroup=""
if getent group "0" >/dev/null 2>&1; then
  newgroup="0"
fi

if [[ -z "${newgroup}" ]]; then
  >&2 echo "0 is not a defined group on the system"
else
if ! stat -c "%g %G" "/etc/at.deny" | grep -E -w -q "0"; then
    chgrp --no-dereference "$newgroup" /etc/at.deny
fi

fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi
```

### Ansible playbook{% #ansible-playbook %}

The following playbook can be run with Ansible to remediate the issue.

```gdscript3
- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - configure_strategy
  - file_groupowner_at_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Set the file_groupowner_at_deny_newgroup variable if represented by gid
  ansible.builtin.set_fact:
    file_groupowner_at_deny_newgroup: '0'
  when: '"linux-base" in ansible_facts.packages'
  tags:
  - configure_strategy
  - file_groupowner_at_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Test for existence /etc/at.deny
  ansible.builtin.stat:
    path: /etc/at.deny
  register: file_exists
  when: '"linux-base" in ansible_facts.packages'
  tags:
  - configure_strategy
  - file_groupowner_at_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed

- name: Ensure group owner on /etc/at.deny
  ansible.builtin.file:
    path: /etc/at.deny
    follow: false
    group: '{{ file_groupowner_at_deny_newgroup }}'
  when:
  - '"linux-base" in ansible_facts.packages'
  - file_exists.stat is defined and file_exists.stat.exists
  tags:
  - configure_strategy
  - file_groupowner_at_deny
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
```