3.7.1.8 /var/spool/cron/crontabs

Information

The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system.

Rationale:

The /var/spool/cron/crontabs directory contains all of the crontabs for the users on the system. Crontab files present a security problem because they are run by the cron daemon, which runs with super user rights. Allowing other users to have read/write permissions on these files may allow them to escalate their privileges. To negate this risk, the directory and all the files that it contains must be secured.

Solution

Apply the appropriate permissions to /var/spool/cron/crontabs:

chmod -R o= /var/spool/cron/crontabs
chmod ug=rwx,o= /var/spool/cron/crontabs
chgrp -R cron /var/spool/cron/crontabs

Default Value:

N/A

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 7cd0c9efb250a0cc8a8489170332ca8d1281249eff607835a47e9e50ff6ff4c4