Information
The cron.allow and at.allow files contain a list of users who are allowed to run the crontab and at commands to submit jobs to be run at scheduled intervals.
Rationale:
On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).
Solution
Perform the following to implement the recommended state:
# mv /etc/cron.deny /etc/cron.deny.cis
# mv /etc/at.deny /etc/at.deny.cis
# echo root > /etc/cron.allow
# cp /dev/null at.allow
# chown root:root cron.allow at.allow
# chmod 400 cron.allow at.allow
Note that the root/superuser is always allowed to use the at command and is not required to be specifically listed in at.allow.