Rules Related To 'cronie'

Component overview

Relevant packages:

Relevant groups:

Changelog:

No changes recorded.

Relevant rules:

Rule details

Disable anacron Service

disable_anacron

Description

The cronie-anacron package, which provides anacron functionality, is installed by default. The cronie-anacron package can be removed with the following command:

$ sudo dnf remove cronie-anacron

Rationale

The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder.

Ensure that /etc/at.deny does not exist

file_at_deny_not_exist

Description

The file /etc/at.deny should not exist. Use /etc/at.allow instead.

Rationale

Access to at should be restricted. It is easier to manage an allow list than a deny list.

Ensure that /etc/cron.allow exists

file_cron_allow_exists

Description

The file /etc/cron.allow should exist and should be used instead of /etc/cron.deny.

Rationale

Access to crontab should be restricted. It is easier to manage an allow list than a deny list. Therefore, /etc/cron.allow needs to be created and used instead of /etc/cron.deny. Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.

Ensure that /etc/cron.deny does not exist

file_cron_deny_not_exist

Description

The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.

Rationale

Access to cron should be restricted. It is easier to manage an allow list than a deny list.

Verify Owner on cron.deny

file_owner_cron_deny

Description

To properly set the owner of /etc/cron.deny, run the command:

$ sudo chown root /etc/cron.deny 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Group Who Owns cron.deny

file_groupowner_cron_deny

Description

To properly set the group owner of /etc/cron.deny, run the command:

$ sudo chgrp root /etc/cron.deny

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify Group Who Owns /etc/at.allow file

file_groupowner_at_allow

Description

If /etc/at.allow exists, it must be group-owned by root. To properly set the group owner of /etc/at.allow, run the command:

$ sudo chgrp root /etc/at.allow

Rationale

If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

Verify Group Who Owns /etc/cron.allow file

file_groupowner_cron_allow

Description

If /etc/cron.allow exists, it must be group-owned by root. To properly set the group owner of /etc/cron.allow, run the command:

$ sudo chgrp root /etc/cron.allow

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

Verify Group Who Owns cron.d

file_groupowner_cron_d

Description

To properly set the group owner of /etc/cron.d, run the command:

$ sudo chgrp root /etc/cron.d

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify Group Who Owns cron.daily

file_groupowner_cron_daily

Description

To properly set the group owner of /etc/cron.daily, run the command:

$ sudo chgrp root /etc/cron.daily

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify Group Who Owns cron.hourly

file_groupowner_cron_hourly

Description

To properly set the group owner of /etc/cron.hourly, run the command:

$ sudo chgrp root /etc/cron.hourly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify Group Who Owns cron.monthly

file_groupowner_cron_monthly

Description

To properly set the group owner of /etc/cron.monthly, run the command:

$ sudo chgrp root /etc/cron.monthly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify Group Who Owns cron.weekly

file_groupowner_cron_weekly

Description

To properly set the group owner of /etc/cron.weekly, run the command:

$ sudo chgrp root /etc/cron.weekly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify Group Who Owns Crontab

file_groupowner_crontab

Description

To properly set the group owner of /etc/crontab, run the command:

$ sudo chgrp root /etc/crontab

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

Verify User Who Owns /etc/at.allow file

file_owner_at_allow

Description

If /etc/at.allow exists, it must be owned by root. To properly set the owner of /etc/at.allow, run the command:

$ sudo chown root /etc/at.allow 

Rationale

If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

Verify User Who Owns /etc/cron.allow file

file_owner_cron_allow

Description

If /etc/cron.allow exists, it must be owned by root. To properly set the owner of /etc/cron.allow, run the command:

$ sudo chown root /etc/cron.allow 

Rationale

If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.

Verify Owner on cron.d

file_owner_cron_d

Description

To properly set the owner of /etc/cron.d, run the command:

$ sudo chown root /etc/cron.d 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Owner on cron.daily

file_owner_cron_daily

Description

To properly set the owner of /etc/cron.daily, run the command:

$ sudo chown root /etc/cron.daily 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Owner on cron.hourly

file_owner_cron_hourly

Description

To properly set the owner of /etc/cron.hourly, run the command:

$ sudo chown root /etc/cron.hourly 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Owner on cron.monthly

file_owner_cron_monthly

Description

To properly set the owner of /etc/cron.monthly, run the command:

$ sudo chown root /etc/cron.monthly 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Owner on cron.weekly

file_owner_cron_weekly

Description

To properly set the owner of /etc/cron.weekly, run the command:

$ sudo chown root /etc/cron.weekly 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Owner on crontab

file_owner_crontab

Description

To properly set the owner of /etc/crontab, run the command:

$ sudo chown root /etc/crontab 

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.

Verify Permissions on /etc/at.allow file

file_permissions_at_allow

Description

If /etc/at.allow exists, it must have permissions 0600 or more restrictive. To properly set the permissions of /etc/at.allow, run the command:

$ sudo chmod 0600 /etc/at.allow

Rationale

If the permissions of the at.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.

Verify Permissions on /etc/cron.allow file

file_permissions_cron_allow

Description

If /etc/cron.allow exists, it must have permissions 0600 or more restrictive. To properly set the permissions of /etc/cron.allow, run the command:

$ sudo chmod 0600 /etc/cron.allow

Rationale

If the permissions of the cron.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.

Verify Permissions on cron.d

file_permissions_cron_d

Description

To properly set the permissions of /etc/cron.d, run the command:

$ sudo chmod 0700 /etc/cron.d

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Verify Permissions on cron.daily

file_permissions_cron_daily

Description

To properly set the permissions of /etc/cron.daily, run the command:

$ sudo chmod 0700 /etc/cron.daily

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Verify Permissions on cron.hourly

file_permissions_cron_hourly

Description

To properly set the permissions of /etc/cron.hourly, run the command:

$ sudo chmod 0700 /etc/cron.hourly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Verify Permissions on cron.monthly

file_permissions_cron_monthly

Description

To properly set the permissions of /etc/cron.monthly, run the command:

$ sudo chmod 0700 /etc/cron.monthly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Verify Permissions on cron.weekly

file_permissions_cron_weekly

Description

To properly set the permissions of /etc/cron.weekly, run the command:

$ sudo chmod 0700 /etc/cron.weekly

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Verify Permissions on crontab

file_permissions_crontab

Description

To properly set the permissions of /etc/crontab, run the command:

$ sudo chmod 0600 /etc/crontab

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.

Install the cron service

package_cron_installed

Description

The Cron service should be installed.

Rationale

The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.

Disable At Service (atd)

service_atd_disabled

Description

The at and batch commands can be used to schedule tasks that are meant to be executed only once. This allows delayed execution in a manner similar to cron, except that it is not recurring. The daemon atd keeps track of tasks scheduled via at and batch, and executes them at the specified time. The atd service can be disabled with the following command:

$ sudo systemctl mask --now atd.service

Rationale

The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common.

Enable cron Service

service_cron_enabled

Description

The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:

$ sudo systemctl enable crond.service

Rationale

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

Enable cron Service

service_crond_enabled

Description

The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:

$ sudo systemctl enable crond.service

Rationale

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.