3.7.2.1 crontab entries - owned by userid - owned by userid

Information

This script checks the permissions of all the root crontab entries, to ensure that they are owned and writable by the root user only.

Rationale:

All root crontab entries must be owned and writable by the root user only. If a script had group or world writable access, it could be replaced or edited with malicious content, which would then subsequently run on the system with root authority.

Solution

Ensure that all root crontab entries are owned and writable by root only.
The script below traverses up each individual directory path, ensuring that all directories are not group/world writable and that they are owned by the root or bin user:

crontab -l |egrep -v '^#' |awk '{print $6}' |grep '^/' |sort -u | while read DIR
do
DIR=${DIR:-$(pwd)}
while [[ -a ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(????????w? *) ]] && print ' WARNING ${DIR} is world writable'
[[ '$(ls -ld ${DIR})' = @(?????w???? *) ]] && print ' WARNING ${DIR} is group writable'
[[ '$(ls -ld ${DIR} |awk '{print $3}')' != @(root|bin) ]] && print ' WARNING ${DIR} is not owned by root or bin'
DIR=${DIR%/*}
done
done

NOTE: Review the output and manually change the directories, if possible. Directories which are group and/or world writable or not owned by root are marked with 'WARNING'
To manually change permissions on the files or directories:
To remove group writable access:

chmod g-w <name>

To remove world writable access:

chmod o-w <name>

To remove both group and world writable access:

chmod go-w <name>

To change the owner of a file or directory:

chown <new user> <name>

Default Value:

N/A

Additional Information:

Default AIX Security Expert policy values:

High Level policy Permissions checked

Medium Level policy Permissions checked

Low Level policy Permissions checked

See Also

https://workbench.cisecurity.org/files/4119

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: e574e90d77838ef3e856a699088c44d6b808f256a6acf7ef78286d8716945d9f