4.1.8 Ensure cron is restricted to authorized users

Information

Configure /etc/cron.allow to allow specific users to use this service. If /etc/cron.allow does not exist, then /etc/cron.deny is checked. Any user not specifically defined in this file is allowed to use cron. By removing the file, only users in /etc/cron.allow are allowed to use cron.

Note:

- Other methods, such as systemd timers exist for scheduling jobs. If another method is used, cron should be removed, and the alternate method should be secured in accordance with local site policy
- Even though a given user is not listed in cron.allow cron jobs can still be run as that user
- The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs

On many systems, only the system administrator is authorized to schedule cron jobs. Using the cron.allow file to control who can run cron jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.

Solution

Run the following script to:

- Remove /etc/cron.deny if it exists
- Create /etc/cron.allow if it doesn't exist
- Change ownership of /etc/cron.allow to the root user
- Change group ownership of /etc/cron.allow to the group crontab

#!/usr/bin/env bash

{
if dpkg-query -W cron > /dev/null 2>&1; then
l_file="/etc/cron.allow"
l_mask='0137'
l_maxperm="$( printf '%o' $(( 0777 & ~$l_mask)) )"
if [ -e /etc/cron.deny ]; then
echo -e " - Removing \"/etc/cron.deny\""
rm -f /etc/cron.deny
fi
if [ ! -e /etc/cron.allow ]; then
echo -e " - creating \"$l_file\""
touch "$l_file"
fi
while read l_mode l_fown l_fgroup; do
if [ $(( $l_mode & $l_mask )) -gt 0 ]; then
echo -e " - Removing excessive permissions from \"$l_file\""
chmod u-x,g-wx,o-rwx "$l_file"
fi
if [ "$l_fown" != "root" ]; then
echo -e " - Changing owner on \"$l_file\" from: \"$l_fown\" to: \"root\""
chown root "$l_file"
fi
if [ "$l_fgroup" != "crontab" ]; then
echo -e " - Changing group owner on \"$l_file\" from: \"$l_fgroup\" to: \"crontab\""
chgrp crontab "$l_file"
fi
done < <(stat -Lc '%#a %U %G' "$l_file")
else
echo -e "- cron is not installed on the system, no remediation required
"
fi
}

See Also

https://workbench.cisecurity.org/benchmarks/15023

Item Details

Category: ACCESS CONTROL, MEDIA PROTECTION

References: 800-53|AC-3, 800-53|AC-5, 800-53|AC-6, 800-53|MP-2, CSCv7|14.6

Plugin: Unix

Control ID: cf74bc1ececc409f61c3e6c213665bbcf064e4f1d6ea2d5712bce7d480f3e069