Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / linux / 0f084a01cee47a299fb2f60791a3296728000e55^! / . / README.rst
commit0f084a01cee47a299fb2f60791a3296728000e55[log] [tgz]
authorDmitry Teselkin <dteselkin@mirantis.com>Wed Aug 29 14:46:38 2018 +0300
committerDmitry Teselkin <dteselkin@mirantis.com>Fri Aug 31 11:52:10 2018 +0300
tree19d0c9500ddb74cc1e29eb47462d5feb675b3d41
parent75a4eb54a616cfb087079124d342f25af2aa53bc [diff] [blame]
Manage /etc/{at,cron}.{allow,deny} files

Related-Prod: PROD-22546
Related-Prod: PROD-22664

Change-Id: I66a35ef3d2436541ef70f02e2631fa8d4d86e5e9

diff --git a/README.rst b/README.rst
index 986ec72..50e1b13 100644
--- a/README.rst
+++ b/README.rst

@@ -235,7 +235,54 @@
           automatic_reboot: true
           automatic_reboot_time: "02:00"
 
-Linux with cron jobs
+Managing cron tasks
+-------------------
+
+There are two data structures that are related to managing cron itself and
+cron tasks:
+
+.. code-block:: yaml
+
+    linux:
+      system:
+        cron:
+
+and
+
+.. code-block:: yaml
+
+    linux:
+      system:
+        job:
+
+`linux:system:cron` manages cron packages, services, and '/etc/cron.allow' file.
+
+'deny' files are managed the only way - we're ensuring they are absent, that's
+a requirement from CIS 5.1.8
+
+'cron' pillar structure is the following:
+
+.. code-block:: yaml
+
+    linux:
+      system:
+        cron:
+          enabled: true
+          pkgs: [ <cron packages> ]
+          services: [ <cron services> ]
+          user:
+            <username>:
+              enabled: true
+
+To add user to '/etc/cron.allow' use 'enabled' key as shown above.
+
+'/etc/cron.deny' is not managed as CIS 5.1.8 requires it was removed.
+
+A user would be ignored if any of the following is true:
+* user is disabled in `linux:system:user:<username>`
+* user is disabled in `linux:system:cron:user:<username>`
+
+`linux:system:job` manages individual cron tasks.
 
 By default, it will use name as an identifier, unless identifier key is
 explicitly set or False (then it will use Salt's default behavior which is
@@ -255,6 +302,32 @@
             hour: 2
             minute: 0
 
+Managing 'at' tasks
+-------------------
+
+Pillar for managing `at` tasks is similar to one for `cron` tasks:
+
+.. code-block:: yaml
+
+    linux:
+      system:
+        at:
+          enabled: true
+          pkgs: [ <at packages> ]
+          services: [ <at services> ]
+          user:
+            <username>:
+              enabled: true
+
+To add a user to '/etc/at.allow' use 'enabled' key as shown above.
+
+'/etc/at.deny' is not managed as CIS 5.1.8 requires it was removed.
+
+A user will be ignored if any of the following is true:
+* user is disabled in `linux:system:user:<username>`
+* user is disabled in `linux:system:at:user:<username>`
+
+
 Linux security limits (limit sensu user memory usage to max 1GB):
 
 .. code-block:: yaml