4.1.5 Ensure permissions on /etc/cron.weekly are configured

Information

The /etc/cron.weekly directory contains system cron jobs that need to run on a weekly basis. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.

Note: Other methods, such as systemd timers exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy

Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.

Solution

Run the following commands to set ownership and permissions on the /etc/cron.weekly directory:

# chown root:root /etc/cron.weekly/
# chmod og-rwx /etc/cron.weekly/

See Also

https://workbench.cisecurity.org/benchmarks/13007

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: d7e4913b5074b6584eb7c73da10f9c0f064a90458ba46a87382a8cc98f6e52ae