A simple mitigation is to add the following statement to the atd.service definition:
[Service] ExecStartPre=-find /var/spool/cron/atjobs/ -type f -name "=*" -not -newercc /run/systemd -delete Justification: -------------- The job command specification are files below /var/spool/cron/atjobs/. The naming convention is: <queue_letter><hexadecimal_epoche_start_time> On the start of a batch job the job file is renamed to =<hexadecimal_epoche_start_time>. This change the inode and „ctime“ of the file. Assuming that '/run/systemd' : 1. is created on startup of the machine 2. before atd is started So we have a barrier that allows the distinction stale job files.
