2.4.1.8 Ensure crontab is restricted to authorized users

Information

crontab is the program used to install, deinstall, or list the tables used to drive the cron daemon. Each user can have their own crontab, and though these are files in /var/spool/cron/crontabs they are not intended to be edited directly.

If the /etc/cron.allow file exists, then you must be listed (one user per line) therein in order to be allowed to use this command. If the /etc/cron.allow file does not exist but the /etc/cron.deny file does exist, then you must not be listed in the /etc/cron.deny file in order to use this command.

If neither of these files exists, then depending on site-dependent configuration parameters, only the super user will be allowed to use this command, or all users will be able to use this command.

If both files exist then /etc/cron.allow takes precedence. Which means that /etc/cron.deny is not considered and your user must be listed in /etc/cron.allow in order to be able to use the crontab.

Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.

The files /etc/cron.allow and /etc/cron.deny if they exist, must be either world-readable, or readable by group crontab If they are not, then cron will deny access to all users until the permissions are fixed.

There is one file for each user's crontab under the /var/spool/cron/crontabs directory. Users are not allowed to edit the files under that directory directly to ensure that only users allowed by the system to run periodic tasks can add them, and only syntactically correct crontabs will be written there. This is enforced by having the directory writable only by the crontab group and configuring crontab command with the setgid bid set for that specific group.

Note:

- Even though a given user is not listed in cron.allow cron jobs can still be run as that user
- The files /etc/cron.allow and /etc/cron.deny if they exist, only controls administrative access to the crontab command for scheduling and modifying cron jobs

On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

Solution

- IF - cron is installed on the system:

Run the following script to:

- Create /etc/cron.allow if it doesn't exist
- Change owner to user root
- Change group owner to group root - OR - group crontab if it exists
- Change mode to 640 or more restrictive

#!/usr/bin/env bash

{
[ ! -e "/etc/cron.deny" ] && touch /etc/cron.allow
chmod u-x,g-wx,o-rwx /etc/cron.allow
if grep -Pq -- '^h*crontab:' /etc/group; then
chown root:crontab /etc/cron.allow
else
chown root:root /etc/cron.allow
fi
}

- IF - /etc/cron.deny exists, run the following script to:

- Change owner to user root
- Change group owner to group root - OR - group crontab if it exists
- Change mode to 640 or more restrictive

#!/usr/bin/env bash

{
if [ -e "/etc/cron.deny" ]; then
chmod u-x,g-wx,o-rwx /etc/cron.deny
if grep -Pq -- '^h*crontab:' /etc/group; then
chown root:crontab /etc/cron.deny
else
chown root:root /etc/cron.deny
fi
fi
}

Note: On systems where cron is configured to use the group crontab if the group crontab is not set as the owner of cron.allow then cron will deny access to all users and you will see an error similar to:

You (<USERNAME>) are not allowed to use this program (crontab)
See crontab(1) for more information

See Also

https://workbench.cisecurity.org/benchmarks/18960

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: 5025fb3a8d74eceeb8e53fd333a525b3825e1f950658eb1e180507fbc982a56b