Skip to content

Adding rules for /etc/cron.yearly directory configuration #14105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 13, 2025
Merged

Adding rules for /etc/cron.yearly directory configuration #14105

merged 3 commits into from
Nov 13, 2025

Conversation

@Arden97
Copy link
Contributor

@Arden97 Arden97 commented Nov 7, 2025

Description:

This commit implements three new security hardening rules for the /etc/cron.yearly directory to complete the cron directory security coverage:

  • file_owner_cron_yearly: Verifies that /etc/cron.yearly is owned by root (uid 0)
  • file_groupowner_cron_yearly: Verifies that /etc/cron.yearly has root as group owner (gid 0)
  • file_permissions_cron_yearly: Verifies that /etc/cron.yearly has permissions set to 0700 (rwx------)

The implementation adds:

  • Three new rule definitions in linux_os/guide/services/cron_and_at/
  • STIG policy mappings for all three rules
  • Integration with the crontabs component
  • CIS RHEL10 control mapping (control 2.4.1.7) updated from pending to automated status
  • Profile updates for CIS RHEL10 (base, server_l1, workstation_l1, workstation_l2)
  • CCE identifier allocation (CCE-88898-2, CCE-90735-2, CCE-90732-9)

Rationale:

@openshift-ci openshift-ci bot added the needs-ok-to-test Used by openshift-ci bot. label Nov 7, 2025
@openshift-ci
Copy link

openshift-ci bot commented Nov 7, 2025

Hi @Arden97. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@Mab879 Mab879 self-assigned this Nov 7, 2025
@Mab879 Mab879 added this to the 0.1.79 milestone Nov 7, 2025
Mab879
Mab879 requested changes Nov 7, 2025
View reviewed changes
linux_os/guide/services/cron_and_at/file_groupowner_cron_yearly/rule.yml
@@ -0,0 +1,44 @@
documentation_complete: true

Copy link
Member

@Mab879 Mab879 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for these extra new lines

linux_os/guide/services/cron_and_at/file_owner_cron_yearly/rule.yml
@@ -0,0 +1,44 @@
documentation_complete: true


Copy link
Member

@Mab879 Mab879 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for these extra new lines.

linux_os/guide/services/cron_and_at/file_permissions_cron_yearly/rule.yml Outdated
@@ -0,0 +1,44 @@
documentation_complete: true


Copy link
Member

@Mab879 Mab879 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No needs for these new lines.

controls/cis_rhel10.yml
status: automated
rules:
- file_groupowner_cron_yearly
- file_owner_cron_yearly
Copy link
Member

@Mab879 Mab879 Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please fix the CI issues:

Rule 'file_permissions_cron_yearly' must be in component 'cronie' because it's a member of 'cron_and_at' group.
Rule 'file_owner_cron_yearly' must be in component 'cronie' because it's a member of 'cron_and_at' group.
Rule 'file_groupowner_cron_yearly' must be in component 'cronie' because it's a member of 'cron_and_at' group.

Copy link
Contributor Author

@Arden97 Arden97 Nov 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

fixed in 6a54d25

@Arden97
Copy link
Contributor Author

Arden97 commented Nov 13, 2025

@Mab879 are there any other changes required before this PR can be merged? If not, may I ask you to merge it so I can move the ticket to the 'Review' state?"

@Mab879 Mab879 merged commit 4b6aae1 into ComplianceAsCode:master Nov 13, 2025
125 of 126 checks passed
@sync-cac-oscal-bot sync-cac-oscal-bot bot mentioned this pull request Nov 13, 2025
Open
@Arden97 Arden97 deleted the cron_yearly_configured branch November 14, 2025 08:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mab879 Mab879 Mab879 approved these changes

@matusmarhefka matusmarhefka Awaiting requested review from matusmarhefka matusmarhefka is a code owner

@vojtapolasek vojtapolasek Awaiting requested review from vojtapolasek vojtapolasek is a code owner

@jan-cerny jan-cerny Awaiting requested review from jan-cerny jan-cerny is a code owner

Assignees

@Mab879 Mab879

Labels

needs-ok-to-test Used by openshift-ci bot.

Projects

None yet

Milestone

0.1.79

Development

Successfully merging this pull request may close these issues.

2 participants

@Arden97 @Mab879