The cronie-anacron package, which provides anacron
functionality, is installed by default.
The cronie-anacron package should not be present in the container or container image.
Remove the cronie-anacron package from Containerfile and rebuild the container image.
The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder.
The file /etc/at.allow should exist and should be used instead of /etc/at.deny.
Using the at.allow file to control who can run at jobs enforces this who can schedule jobs. It is easier to manage an allow list than a deny list.
The file /etc/at.deny should not exist. Use /etc/at.allow instead.
Access to at should be restricted. It is easier to manage an allow list than a deny list.
The file /etc/cron.allow should exist and should be used instead of /etc/cron.deny.
Access to crontab should be restricted. It is easier to manage an allow list than a deny list. Therefore, /etc/cron.allow needs to be created and used instead of /etc/cron.deny. Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.
The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
Access to cron should be restricted. It is easier to manage an allow list than a deny list.
The /etc/cron.deny should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/cron.deny should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
If /etc/at.allow exists, it must be group-owned by root.
The /etc/at.allow should be group-owned by the root group.
If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/at.deny exists, it must be group-owned by root.
The /etc/at.deny should be group-owned by the root group.
If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/cron.allow exists, it must be group-owned by root.
The /etc/cron.allow should be group-owned by the root group.
If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
The /etc/cron.d should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
The /etc/cron.daily should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
The /etc/cron.hourly should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
The /etc/cron.monthly should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
The /etc/cron.weekly should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
The /etc/cron.yearly should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
The /etc/crontab should be group-owned by the root group.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
If /etc/at.allow exists, it must be owned by root.
The /etc/at.allow should be owned by the root user.
If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/at.deny exists, it must be owned by root.
The /etc/at.deny should be owned by the root user.
If the owner of the at.deny file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/cron.allow exists, it must be owned by root.
The /etc/cron.allow should be owned by the root user.
If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
The /etc/cron.d should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/cron.daily should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/cron.hourly should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/cron.monthly should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/cron.weekly should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/cron.yearly should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
The /etc/crontab should be owned by the root user.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
If /etc/at.allow exists, it must have permissions 0640
or more restrictive.
The /etc/at.allow shall have the 0640 permission mode.
If the permissions of the at.allow file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/at.deny exists, it must have permissions 0640
or more restrictive.
The /etc/at.deny shall have the 0640 permission mode.
If the permissions of the at.deny file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/cron.allow exists, it must have permissions 0640
or more restrictive.
The /etc/cron.allow shall have the 0640 permission mode.
If the permissions of the cron.allow file are not set to 0640 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
The /etc/cron.d shall have the 0700 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The /etc/cron.daily shall have the 0700 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The /etc/cron.hourly shall have the 0700 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The /etc/cron.monthly shall have the 0700 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The /etc/cron.weekly shall have the 0700 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The /etc/cron.yearly shall have the 0700 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The /etc/crontab shall have the 0600 permission mode.
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The Cron service should be installed.
The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
The at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch, and executes them at the specified time.
The atd service can be disabled with the following command:
$ sudo systemctl mask --now atd.service
The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common.
The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The cron service can be enabled with the following command:
$ sudo systemctl enable cron.service
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond service can be enabled with the following command:
$ sudo systemctl enable crond.service
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.