isMasked() {
isMasked=$(systemctl is-enabled "$1")
if [[ "$isMasked" = "masked" ]]; then
exit 0
else
exit 1
fi
}
@test "Ensure atd is masked" {
run isMasked atd.service
[ "$status" -eq 0 ]
}Ensure atd is masked
Description
The at and batch commands can be used to schedule tasks that are meant
to be executed only once. This allows delayed execution in a manner similar
to cron, except that it is not recurring.
Rationale
The atd service could be used by an unsophisticated insider to carry out
activities outside of a normal login session, which could complicate
accountability. Furthermore, the need to schedule tasks with at or batch
is not common.
Audit
Remediation
shell
systemctl mask atd.service
systemctl stop atd.service
systemctl daemon-reloadAnsible
- name: mask atd
become: 'yes'
become_method: sudo
systemd:
name: atd
masked: 'yes'
enabled: 'no'
state: stopped
ignore_errors: true
tags:
- at
- systemd
- security
...References
CCE-80345-2