Skip to content

2.4.1.8 Ensure cron is restricted to authorized users

Audit#

- IF - cron is installed on the system: Run the following command to verify /etc/cron.allow: - Exists - Is mode 0640 or more restrictive - Is owned by the user root - Is group owned by the group root - OR - the group crontab 

# stat /etc/cron.deny
stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/cron.allow
Verify the returned value is: 
Access: (640/-rw-r-----) Owner: (root) Group: (root)
- OR -
Access: (640/-rw-r-----) Owner: (root) Group: (crontab)

Run the following command to verify either cron.deny doesn't exist or is: - Mode 0640 or more restrictive - Owned by the user root - Is group owned by the group root - OR - the group crontab 

# [ -e "/etc/cron.deny" ] && stat -Lc 'Access: (%a/%A) Owner: (%U) Group: (%G)' /etc/cron.deny

Verify either nothing is returned - OR - returned value is one of the following: 

Access: (640/-rw-r-----) Owner: (root) Group: (root)
- OR -
Access: (640/-rw-r-----) Owner: (root) Group: (crontab)

Note: On systems where cron is configured to use the group crontab, if the group crontab is not set as the owner of cron.allow, then cron will deny access to all users and you will see an error similar to: 

You (<USERNAME>) are not allowed to use this program (crontab)
See crontab(1) for more information

Remediation#

- IF - cron is installed on the system: - Run the following script to: - Create /etc/cron.allow if it doesn't exist - Change owner to user root - Change group owner to group root - OR - group crontab if it exists - Change mode to 640 or more restrictive 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#!/usr/bin/env bash
{
[ ! -e "/etc/cron.deny" ] && touch /etc/cron.allow
chmod u-x,g-wx,o-rwx /etc/cron.allow
if grep -Pq -- '^\h*crontab\:' /etc/group; then
chown root:crontab /etc/cron.allow
else
chown root:root /etc/cron.allow
fi
}

- IF - /etc/cron.deny exists, run the following script to: - Change owner to user root - Change group owner to group root - OR - group crontab if it exists - Change mode to 640 or more restrictive Run the following command to create /etc/cron.allow 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
#!/usr/bin/env bash
{
if [ -e "/etc/cron.deny" ]; then
chmod u-x,g-wx,o-rwx /etc/cron.deny
if grep -Pq -- '^\h*crontab\:' /etc/group; then
chown root:crontab /etc/cron.deny
else
chown root:root /etc/cron.deny
fi
fi
}

Note: On systems where cron is configured to use the group crontab, if the group crontab is not set as the owner of cron.allow, then cron will deny access to all users and you will see an error similar to: 

You (<USERNAME>) are not allowed to use this program (crontab)
See crontab(1) for more information