Check: GEN003280
AIX 6.1 SECURITY TECHNICAL IMPLEMENTATION GUIDE:
GEN003280
(in versions v1 r14 through v1 r10)
Title
Access to the at utility must be controlled via the at.allow and/or at.deny file(s). (Cat II impact)
Discussion
The at facility selectively allows users to execute jobs at deferred times. It is usually used for one-time jobs. The at.allow file selectively allows access to the at facility. If there is no at.allow file, there is no ready documentation of who is allowed to submit at jobs.
Check Content
Check for the existence of at.allow and at.deny files. # ls -lL /var/adm/cron/at.allow # ls -lL /var/adm/cron/at.deny If neither file exists, this is a finding.
Fix Text
Create at.allow and/or at.deny files containing appropriate lists of users to be allowed or denied access to the "at" daemon.
Additional Identifiers
Rule ID: SV-27377r1_rule
Vulnerability ID: V-984
Group Title: GEN003280
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000225 |
The organization employs the concept of least privilege, allowing only authorized accesses for users (and processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions. |
Controls
Number | Title |
---|---|
AC-6 |
Least Privilege |