6.3 Restrict at/cron to Authorized Users

Information

The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals.

Rationale:

On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).

Solution

Perform the following to implement the recommended state:

# mv /etc/cron.deny /etc/cron.deny.cis

# mv /etc/at.deny /etc/at.deny.cis

# echo root > /etc/cron.allow

# cp /dev/null at.allow

# chown root:root cron.allow at.allow

# chmod 400 cron.allow at.allow

Note that the root/superuser is always allowed to use the at command and is not required to be specifically listed in at.allow.

See Also

https://workbench.cisecurity.org/benchmarks/4777

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: af450b8c1a2e52ebbbb2af23da3b0e0ada64cf0582674bb607003c7f30c6a2a3