Ensure Crontab Is Restricted to Authorized Users : iCompaas Support

Profile Applicability:
• Level 1

Description:
The crontab command allows users to schedule tasks to run automatically. Restricting access to crontab ensures that only authorized users can create, modify, or delete cron jobs, preventing unauthorized or malicious scheduled tasks that could compromise system security.

Rationale:
Allowing unrestricted access to crontab can lead to unauthorized task execution, privilege escalation, or system disruption. By restricting crontab usage to authorized users, organizations can better control automated processes and reduce the attack surface.

Impact:
Pros:

Prevents unauthorized scheduling of cron jobs.
Helps maintain system stability and security.
Supports compliance with security policies and standards.

Cons:

Restricting access may limit legitimate user flexibility for scheduling tasks.

Default Value:
By default, access to crontab may be open or restricted depending on system configuration.

Pre-requisites:
Root or sudo privileges to configure crontab access controls.

Remediation:

Test Plan:
Using Linux command line:

1. Check for the presence of /etc/cron.allow and /etc/cron.deny files:

ls -l /etc/cron.allow /etc/cron.deny

2. Verify which users are permitted or denied access based on these files.

Implementation Plan:
Using Linux command line:

To restrict crontab access, create or edit /etc/cron.allow and list authorized users (one username per line). For example:

echo "root" > /etc/cron.allow
echo "adminuser" >> /etc/cron.allow

Remove or restrict /etc/cron.deny if it conflicts with /etc/cron.allow.
Set correct permissions on these files:

chown root:root /etc/cron.allow /etc/cron.deny
chmod 600 /etc/cron.allow /etc/cron.deny

Verify changes:

cat /etc/cron.allow
cat /etc/cron.deny

Backout Plan:
Using Linux command line:

If needed, remove /etc/cron.allow to revert to default behavior.
Restore previous content of /etc/cron.deny if applicable.
Set previous ownership and permissions on these files.

References:

CIS Amazon Linux 2 Benchmark v3.0.0 — https://www.cisecurity.org/benchmark/amazon_linux/
Linux crontab Manual — https://man7.org/linux/man-pages/man5/crontab.5.html
NIST SP 800-53 Revision 5 - CM-5 Configuration Management — https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final

Ensure Crontab Is Restricted to Authorized Users Print

Related Articles