6.13 Restrict at/cron to Authorized Users - /etc/cron.d/cron.deny

Information

The cron.allow and at.allow files contain a list of users who are allowed to run the
crontab and at commands to submit jobs to be run at scheduled intervals.

On many systems, only the system administrator needs the ability to schedule jobs. Even
though a given user is not listed in cron.allow, cron jobs can still be run as that user. The
cron.allow file only controls administrative access to the crontab command for
scheduling and modifying cron jobs. Much more effective access controls for the cron
system can be obtained by using Role-Based Access Controls (RBAC).

Solution

Perform the following to implement the recommended state-# cd /etc/cron.d
# mv cron.deny cron.deny.cis
# mv at.deny at.deny.cis
# echo root > cron.allow
# cp /dev/null at.allow
# chown root-root cron.allow at.allow
# chmod 400 cron.allow at.allow

See Also

https://workbench.cisecurity.org/files/616

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CSCv6|9.1

Plugin: Unix

Control ID: 51c5469bdc1ac066f7988bc9038a3a95c508eabaeaad5c2069bffcd4538e516d