New tasks about restricting the cron and at daemons

DC-task-restrict-at

@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-restrict-at.xml"
+ROOTID="task-restrict-at"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"

DC-task-restrict-cron

@@ -0,0 +1,12 @@
+# This file originates from the project https://github.com/openSUSE/doc-kit
+# This file can be edited downstream.
+
+MAIN="task-restrict-cron.xml"
+ROOTID="task-restrict-cron"
+
+PROFCONDITION="suse-product"
+#PROFCONDITION="suse-product;beta"
+#PROFCONDITION="community-project"
+
+STYLEROOT="/usr/share/xml/docbook/stylesheet/suse2021-ns"
+FALLBACK_STYLEROOT="/usr/share/xml/docbook/stylesheet/suse-ns"

xml/task-restrict-at.xml

@@ -0,0 +1,225 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- This file originates from the project https://github.com/openSUSE/doc-kit -->
+<!-- This file can be edited downstream. -->
+
+<?xml-stylesheet href="urn:x-suse:xslt:profiling:docbook51-profile.xsl"
+ type="text/xml"
+ title="Profiling step"?>
+<!DOCTYPE article
+[
+  <!ENTITY % entities SYSTEM "generic-entities.ent">
+    %entities;
+  <!ENTITY atd "<systemitem xmlns='http://docbook.org/ns/docbook' class='daemon'>at</systemitem>">
+]>
+
+<!--metadata
+ * product(s): SLES, SLED, SLE-HA, SLES-SAP, SLE-HPC, SLE-RT
+ * product version(s): 15 SP3, 15 SP2, 15 GA
+ * topic category/ies: system administration, security
+ * target group(s): system administrators
+ * initially published: ?
+ * last modified: 2021-11-26 -->
+
+<article xml:id="task-restrict-at" xml:lang="en"
+ role="task"
+ xmlns="http://docbook.org/ns/docbook" version="5.1"
+ xmlns:its="http://www.w3.org/2005/11/its"
+ xmlns:xi="http://www.w3.org/2001/XInclude"
+ xmlns:xlink="http://www.w3.org/1999/xlink">
+
+ <info>
+  <title>Restricting the &atd; scheduler</title>
+   <dm:docmanager xmlns:dm="urn:x-suse:ns:docmanager">
+    <dm:bugtracker>
+     <dm:url>https://bugzilla.suse.com/enter_bug.cgi</dm:url>
+     <dm:component>Smart Docs</dm:component>
+     <dm:product>Documentation</dm:product>
+     <dm:assignee>[email protected]</dm:assignee>
+    </dm:bugtracker>
+    <dm:translation>no</dm:translation>
+   </dm:docmanager>
+ </info>
+
+ <section xml:id="environment-restrict-at">
+ <title>Environment</title>
+  <para>This document applies to the following products and product versions:</para>
+  <itemizedlist>
+  <listitem>
+   <para>&sles;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&sles4sap;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&sleha;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&slehpc;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA</para>
+  </listitem>
+  <listitem>
+   <para>&sled;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+  <listitem>
+   <para>&slert;&nbsp;15&nbsp;SP3, 15&nbsp;SP2, 15&nbsp;SP1, 15&nbsp;GA, 12&nbsp;SP5, 12&nbsp;SP4, 12&nbsp;SP3</para>
+  </listitem>
+ </itemizedlist>
+</section>
+
+ <section xml:id="introduction-restrict-at">
+  <title>Introduction</title>
+  <para>
+   The &atd; job execution system allows users to schedule one-time running
+   jobs. The <filename>at.allow</filename> file specifies a list of users that
+   are allowed to schedule jobs via &atd;. The file does not exist by default,
+   so all users can schedule &atd; jobs&mdash;except for those listed in
+   <filename>at.deny</filename>)
+  </para>
+ </section>
+
+ <section xml:id="requirements-restrict-at">
+  <title>Requirements</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     You have installed your product and your system is up and running.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     The <package>at</package> package is installed. If not, run
+     <command>zypper in at</command> to install it.
+    </para>
+   </listitem>
+  </itemizedlist>
+  <!-- cwickert 2021-10-05: No idea why the template contains another <para> here. 
+  <para>
+   A paragraph of text.
+  </para>
+  -->
+ </section>
+
+ <section xml:id="restrict-at">
+  <title>Restrict access to the &atd; scheduler</title>
+  <!-- cwickert 2021-10-05: No idea why the template has two introductions, one
+   before and one at the beginning of the procedure. 
+  <para>
+   To prevent users except for root from scheduling jobs with <systemitem
+    class="daemon">at</systemitem>, perform the following steps.
+  </para>
+  -->
+  <procedure>
+   <para>
+    To prevent users except for &rootuser; from scheduling jobs with &atd;,
+    perform the following steps.
+   </para>
+   <step>
+    <para>
+     Create an empty file <filename>/etc/at.allow</filename>:
+    </para>
+<screen>&prompt.sudo;<command>touch</command> /etc/at.allow</screen>
+   </step>
+   <step>
+    <para>
+     Allow users to schedule jobs with &atd; by adding their usernames to the
+     file:
+    </para>
+<screen>&prompt.sudo;<command>echo</command> "&exampleuser_plain;" >> /etc/at.allow</screen>
+   </step>
+   <step>
+    <para>
+     To verify, try scheduling a job as non-root user listed in
+     <filename>at.allow</filename>:
+    </para>
+<screen>&prompt.user;<command>at 00:00</command>
+at></screen>
+    <para>
+     Quit the &atd;prompt with
+     <keycombo><keycap function="control"/><keycap>C</keycap></keycombo> and
+     try the same with a user <emphasis>not</emphasis> listed in
+     <filename>/etc/at.allow</filename> (or before adding them the file in step
+     2 of this procedure):
+    </para>
+<screen>&prompt.user2;<command>at 00:00</command>
+You do not have permission to use at.</screen>
+   </step>
+  </procedure>
+ </section>
+
+ <section xml:id="summary-restrict-at">
+  <title>Summary</title>
+  <para>
+   You have successfully restricted scheduling jobs with &atd; for non-root
+   users.
+  </para>
+ </section>
+
+ <section xml:id="troubleshooting-restrict-at">
+  <title>Troubleshooting</title>
+  <para>When implementing <filename>/etc/at.allow</filename>, there are
+   basically only two problems that can occur:
+  </para>
+  <variablelist>
+   <varlistentry>
+    <term>A user <emphasis>can</emphasis> schedule a job with &atd; although
+     they should <emphasis>not</emphasis>.</term>
+    <listitem>
+     <para>
+      Check that the username in <filename>/etc/at.allow</filename> matches
+      the actual username.
+     </para>
+    </listitem>
+   </varlistentry>
+   <varlistentry>
+    <term>A user can <emphasis>not</emphasis> schedule a job with &atd; jobs
+     although they <emphasis>should</emphasis>.</term>
+    <listitem>
+     <para>
+      If the user is correctly listed in <filename>/etc/at.allow</filename>
+      but cannot schedule &atd; jobs, check if they are also listed in
+      <filename>/etc/at.deny</filename>. If the user appears in both files,
+      <filename>/etc/at.deny</filename> wins. Remove the user from that file to
+      allow them to schedule &atd; jobs.
+     </para>
+    </listitem>
+   </varlistentry>
+  </variablelist>
+ </section>
+
+ <section xml:id="next-restrict-at">
+  <title>Next steps</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     &atd; is not widely used anymore. If you do not have valid use cases,
+     consider uninstalling the daemon instead of just restricting its access.
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     To further improve security, also consider restricting access to the
+     &crond; daemon.
+    </para>
+   </listitem>
+  </itemizedlist>
+ </section>
+
+ <section xml:id="related-restrict-at">
+  <title>Related topics</title>
+  <itemizedlist>
+   <listitem>
+    <para>
+     Restricting the &crond; scheduler
+     <!-- cwickert 2021-10-05: Once we can link smartdocs, use this link instead
+     <xref linkend="task-restrict-cron"/> -->
+    </para>
+   </listitem>
+   <listitem>
+    <para>
+     <link xlink:href="https://documentation.suse.com/smart/linux/html/task-create-systemd-timers/">Create &systemd; timers</link>
+     <!-- cwickert 2021-10-05: Once we can link smartdocs, use this link instead
+     <xref linkend="task-create-systemd-timers"/> -->
+    </para>
+   </listitem>
+  </itemizedlist>
+ </section>
+</article>