Detections
Analytics

4.1.8 Ensure cron is restricted to authorized users

Information

Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron.

Note:

 - Other methods, such as systemd timers exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy
 - Even though a given user is not listed in cron.allow cron jobs can still be run as that user
 - The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs

On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

Solution

Run the following script to:

 - Remove /etc/cron.deny if it exists
 - Create /etc/cron.allow if it doesn't exist
 - Change ownership of /etc/cron.allow to the root user
 - Change group ownership of /etc/cron.allow to the group crontab

#!/usr/bin/env bash

{
 if dpkg-query -W cron > /dev/null 2>&1; then
 l_file="/etc/cron.allow"
 l_mask='0137'
 l_maxperm="$( printf '%o' $(( 0777 & ~$l_mask)) )"
 if [ -e /etc/cron.deny ]; then
 echo -e " - Removing \"/etc/cron.deny\""
 rm -f /etc/cron.deny
 fi
 if [ ! -e /etc/cron.allow ]; then
 echo -e " - creating \"$l_file\""
 touch "$l_file"
 fi
 while read l_mode l_fown l_fgroup; do
 if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
 echo -e " - Removing excessive permissions from \"$l_file\""
 chmod u-x,g-wx,o-rwx "$l_file"
 fi
 if [ "$l_fown" != "root" ]; then
 echo -e " - Changing owner on \"$l_file\" from: \"$l_fown\" to: \"root\""
 chown root "$l_file"
 fi
 if [ "$l_fgroup" != "crontab" ]; then
 echo -e " - Changing group owner on \"$l_file\" from: \"$l_fgroup\" to: \"crontab\""
 chgrp crontab "$l_file"
 fi
 done < <(stat -Lc '%#a %U %G' "$l_file")
 else
 echo -e "- cron is not installed on the system, no remediation required
"
 fi
}

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 6b232e7bbdf403654195b2c2cb17ed26428d0409688697403ea39fbe07a25a79