#!/bin/bash
#
# kate: tab-indents off; tab-width 4; indent-width 4;
#
# This file implements the following CIS controls
# --------------------------------------------------------------------
#  5.1.8   Ensure at/cron is restricted to authorized users
#----------------------------------------------------------------------

augtool --autosave --backup --noautoload >/dev/null <<'EOD'
    transform Simplelines.lns incl /etc/at.deny
    transform Simplelines.lns incl /etc/at.allow
    transform Simplelines.lns incl /etc/cron.deny
    transform Simplelines.lns incl /etc/cron.allow
    load

    ######################################################################
    #   Ensure at/cron is restricted to authorized users (5.1.8)
    ######################################################################

    # Remove at.deny
    rm /files/etc/at.deny

    # Ensure at.allow exists
    set /files/etc/at.allow

    # Ensure root is listed in at.allow
    defvar noentry /files/etc/at.allow[count(*[.='root'])=0]
    set $noentry/01 root

    # Remove cron.deny
    rm /files/etc/cron.deny

    # Ensure cron.allow exists
    set /files/etc/cron.allow

    # Ensure root is listed in cron.allow
    defvar noentry /files/etc/cron.allow[count(*[.='root'])=0]
    set $noentry/01 root

EOD

chmod og-rwx /etc/{at,cron}.allow
