DISA STIG hardening results in inability to run commands using cron
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Security Certifications |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
We have a Ubuntu 20.04 cloud image with DISA STIG hardening applied but we are unable to run commands as cron they fail with permission denied error.
Reproducer:
```
# Set up a cron job 2m from current time (pls don't run this at xx:58 or xx:59 :))
cat > /etc/cron.d/test << EOF
$(( $(date +%M) + 2)) $(date +%H) * * * root echo "Hello" > /tmp/hello
EOF
# Restart cron to clear logs
systemctl restart cron
# Wait 2m
journalctl -t cron
```
You will see `Permission denied` in the journalctl output.
```
# Mar 23 21:53:01 alatl15-gpcbm06 cron[533877]: (*system*test) RELOAD (/etc/cron.d/test)
# Mar 23 21:53:01 alatl15-gpcbm06 cron[534993]: Permission denied
```
We have tracked this down to the hardening changes applied to /etc/pam.
```
ensure_
```
If this last line of /etc/pam.
Is this expected when this rule is remediated?
description: | updated |
Hi Phil,
Like LP#1969480, this also seems to be a bug in the way that the CaC scripts handle pam.d files.
The STIG hardening probably added three lines to the bottom of /e/p.d/common-auth.
As an immediate workaround, you can move those three lines ("auth required pam_faildelay", "auth required pam_tally2", "auth [...] pam_pkcs11") above the "auth requisite pam_deny" line. This resolves the issue that you described on my side; please let me know whether this resolves the issue (short-term) on your side.
We'll take a look at the `ensure_ pam_module_ options` function in the CaC content to generate long-term resolutions to this issue and LP#1969480!