Profile Applicability:
 • Level 1

Description:
 The at command schedules one-time tasks to run at a specified time. Restricting access to the at command ensures only authorized users can schedule such jobs, preventing unauthorized or malicious tasks that could compromise system security.

Rationale:
 Unrestricted use of at can lead to unauthorized task execution, privilege escalation, or system disruption. Limiting at usage to authorized users helps maintain system integrity and control over scheduled tasks.

Impact:
 Pros:

  • Prevents unauthorized scheduling of one-time tasks.

  • Helps maintain system stability and security.

  • Supports compliance with security policies and standards.

Cons:

  • Restricting access may limit legitimate user flexibility for scheduling tasks.

Default Value:
 By default, access to the at command may be unrestricted or controlled via /etc/at.allow and /etc/at.deny files.

Pre-requisites:
 Root or sudo privileges to configure at access controls.

Remediation:

Test Plan:
 Using Linux command line:

  1. Check for the presence of /etc/at.allow and /etc/at.deny files:

ls -l /etc/at.allow /etc/at.deny

  1. Verify which users are permitted or denied access based on these files.

Implementation Plan:
 Using Linux command line:

  1. To restrict at access, create or edit /etc/at.allow and list authorized users (one username per line). For example:

echo "root" > /etc/at.allow
echo "adminuser" >> /etc/at.allow

  1. Remove or restrict /etc/at.deny if it conflicts with /etc/at.allow.

  2. Set correct ownership and permissions on these files:

chown root:root /etc/at.allow /etc/at.deny
chmod 600 /etc/at.allow /etc/at.deny

  1. Verify changes:

cat /etc/at.allow
cat /etc/at.deny

Backout Plan:
 Using Linux command line:

  1. If needed, remove /etc/at.allow to revert to default behavior.

  2. Restore previous content of /etc/at.deny if applicable.

  3. Set previous ownership and permissions on these files.

References: