Disable At Service (atd)

Docs > Datadog Security > OOTB Rules > Disable At Service (atd)

Classification:

compliance

Framework:

Control:

Description

The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time.

The atd service can be disabled with the following command:

$ sudo systemctl disable atd.service

Rationale

The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common.

Remediation

Shell script

The following script can be run on the host to remediate the issue.

SYSTEMCTL\_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL\_EXEC" stop 'atd.service'
"$SYSTEMCTL\_EXEC" disable 'atd.service'
# Disable socket activation if we have a unit file for it
"$SYSTEMCTL\_EXEC" list-unit-files | grep -q '^atd.socket\>' && "$SYSTEMCTL\_EXEC" disable 'atd.socket'
# The service may not be running because it has been started and failed,
# so let's reset the state so OVAL checks pass.
# Service should be 'inactive', not 'failed' after reboot though.
"$SYSTEMCTL\_EXEC" reset-failed 'atd.service'

Ansible playbook

The following playbook can be run with Ansible to remediate the issue.

- name: Disable service atd
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: service\_result
 failed\_when: "service\_result is failed and ('Could not find the requested service' not in service\_result.msg)"
 with\_items:
 - atd
 tags:
 - service\_atd\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-CM-7


- name: Disable socket of service atd if applicable
 service:
 name: "{{item}}"
 enabled: "no"
 state: "stopped"
 register: socket\_result
 failed\_when: "socket\_result is failed and ('Could not find the requested service' not in socket\_result.msg)"
 with\_items:
 - atd.socket
 tags:
 - service\_atd\_disabled
 - unknown\_severity
 - disable\_strategy
 - low\_complexity
 - low\_disruption
 - NIST-800-53-CM-7