9.1.8 Restrict at/cron to Authorized Users - '/etc/at.allow'

Information

Configure /etc/cron.allow and /etc/at.allow to allow specific users to use these services.
If /etc/cron.allow or /etc/at.allow do not exist, then /etc/at.deny and /etc/cron.deny are
checked. Any user not specifically defined in those files is allowed to use at and cron. By
removing the files, only users in /etc/cron.allow and /etc/at.allow are allowed to use at
and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still
be run as that user. The cron.allow file only controls administrative access to the crontab
command for scheduling and modifying cron jobs.

*Rationale*

On many systems, only the system administrator is authorized to schedule cron jobs. Using
the cron.allow file to control who can run cron jobs enforces this policy. It is easier to
manage an allow list than a deny list. In a deny list, you could potentially add a user ID to
the system and forget to add it to the deny files.

Solution

# /bin/rm /etc/cron.deny
# /bin/rm /etc/at.deny
# touch /etc/cron.allow
# touch /etc/at.allow
# chmod og-rwx /etc/cron.allow
# chmod og-rwx /etc/at.allow
# chown root-root /etc/cron.allow
# chown root-root /etc/at.allow

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-6(10), CSCv6|3.1

Plugin: Unix

Control ID: 7014664e5e0e0f69bed4d04fc5eabfd9a4b3f49120ef55ce26dfbf55a70d0ef0