3.2.4 Adding authorized users in at.allow

Information

The /var/adm/cron/at.allow file defines which users on the system are able to schedule jobs via at.

Rationale:

The /var/adm/cron/at.allow file defines which users are able to schedule jobs via at. Review the current at files and add any relevant users to the /var/adm/cron/at.allow file.

NOTE: Nessus has provided the target output to assist in reviewing the benchmark to ensure target compliance.

Solution

Review the current at files:

ls -l /var/spool/cron/atjobs
cat /var/spool/cron/atjobs/*

NOTE: Review the list of at schedules and remove any files which should not be there, or have no content
Add the recommended system users to the at.allow list:

echo 'adm' >> /var/adm/cron/at.allow
echo 'sys' >> /var/adm/cron/at.allow

Add any other users who require permissions to use the at scheduler:

echo <user> >> /var/adm/cron/at.allow

NOTE: Where <user> is the username.

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/3525

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(2), 800-53|AC-6(5), CSCv7|4.3

Plugin: Unix

Control ID: 4d9c133d4eff8e6aaac1d6297493a5cd095bdb2819841b0bdd45de101a5e61a2