The cronie-anacron package, which provides anacron
functionality, is installed by default.
The cronie-anacron
package can be removed with the following command:
$ sudo yum erase cronie-anacron
The anacron service provides cron functionality for systems such as laptops and workstations that may be shut down during the normal times that cron jobs are scheduled to run. On systems which do not require this additional functionality, anacron could needlessly increase the possible attack surface for an intruder.
The file /etc/at.deny should not exist. Use /etc/at.allow instead.
Access to at should be restricted. It is easier to manage an allow list than a deny list.
The file /etc/cron.allow should exist and should be used instead of /etc/cron.deny.
Access to crontab should be restricted. It is easier to manage an allow list than a deny list. Therefore, /etc/cron.allow needs to be created and used instead of /etc/cron.deny. Regardless of the existence of any of these files, the root administrative user is always allowed to setup a crontab.
The file /etc/cron.deny should not exist. Use /etc/cron.allow instead.
Access to cron should be restricted. It is easier to manage an allow list than a deny list.
To properly set the owner of /etc/cron.deny
, run the command:
$ sudo chown root /etc/cron.deny
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
To properly set the group owner of /etc/cron.deny
, run the command:
$ sudo chgrp root /etc/cron.deny
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
If /etc/at.allow exists, it must be group-owned by root.
To properly set the group owner of /etc/at.allow
, run the command:
$ sudo chgrp root /etc/at.allow
If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/cron.allow exists, it must be group-owned by root.
To properly set the group owner of /etc/cron.allow
, run the command:
$ sudo chgrp root /etc/cron.allow
If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
To properly set the group owner of /etc/cron.d
, run the command:
$ sudo chgrp root /etc/cron.d
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
To properly set the group owner of /etc/cron.daily
, run the command:
$ sudo chgrp root /etc/cron.daily
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
To properly set the group owner of /etc/cron.hourly
, run the command:
$ sudo chgrp root /etc/cron.hourly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
To properly set the group owner of /etc/cron.monthly
, run the command:
$ sudo chgrp root /etc/cron.monthly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
To properly set the group owner of /etc/cron.weekly
, run the command:
$ sudo chgrp root /etc/cron.weekly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
To properly set the group owner of /etc/crontab
, run the command:
$ sudo chgrp root /etc/crontab
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.
If /etc/at.allow exists, it must be owned by root.
To properly set the owner of /etc/at.allow
, run the command:
$ sudo chown root /etc/at.allow
If the owner of the at.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/cron.allow exists, it must be owned by root.
To properly set the owner of /etc/cron.allow
, run the command:
$ sudo chown root /etc/cron.allow
If the owner of the cron.allow file is not set to root, the possibility exists for an unauthorized user to view or edit sensitive information.
To properly set the owner of /etc/cron.d
, run the command:
$ sudo chown root /etc/cron.d
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
To properly set the owner of /etc/cron.daily
, run the command:
$ sudo chown root /etc/cron.daily
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
To properly set the owner of /etc/cron.hourly
, run the command:
$ sudo chown root /etc/cron.hourly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
To properly set the owner of /etc/cron.monthly
, run the command:
$ sudo chown root /etc/cron.monthly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
To properly set the owner of /etc/cron.weekly
, run the command:
$ sudo chown root /etc/cron.weekly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
To properly set the owner of /etc/crontab
, run the command:
$ sudo chown root /etc/crontab
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct user to prevent unauthorized changes.
If /etc/at.allow exists, it must have permissions 0600
or more restrictive.
To properly set the permissions of /etc/at.allow
, run the command:
$ sudo chmod 0600 /etc/at.allow
If the permissions of the at.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
If /etc/cron.allow exists, it must have permissions 0600
or more restrictive.
To properly set the permissions of /etc/cron.allow
, run the command:
$ sudo chmod 0600 /etc/cron.allow
If the permissions of the cron.allow file are not set to 0600 or more restrictive, the possibility exists for an unauthorized user to view or edit sensitive information.
To properly set the permissions of /etc/cron.d
, run the command:
$ sudo chmod 0700 /etc/cron.d
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
To properly set the permissions of /etc/cron.daily
, run the command:
$ sudo chmod 0700 /etc/cron.daily
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
To properly set the permissions of /etc/cron.hourly
, run the command:
$ sudo chmod 0700 /etc/cron.hourly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
To properly set the permissions of /etc/cron.monthly
, run the command:
$ sudo chmod 0700 /etc/cron.monthly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
To properly set the permissions of /etc/cron.weekly
, run the command:
$ sudo chmod 0700 /etc/cron.weekly
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
To properly set the permissions of /etc/crontab
, run the command:
$ sudo chmod 0600 /etc/crontab
Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should have the correct access rights to prevent unauthorized changes.
The Cron service should be installed.
The cron service allow periodic job execution, needed for almost all administrative tasks and services (software update, log rotating, etc.). Access to cron service should be restricted to administrative accounts only.
The at and batch commands can be used to
schedule tasks that are meant to be executed only once. This allows delayed
execution in a manner similar to cron, except that it is not
recurring. The daemon atd keeps track of tasks scheduled via
at and batch, and executes them at the specified time.
The atd
service can be disabled with the following command:
$ sudo systemctl mask --now atd.service
The atd service could be used by an unsophisticated insider to carry out activities outside of a normal login session, which could complicate accountability. Furthermore, the need to schedule tasks with at or batch is not common.
The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond
service can be enabled with the following command:
$ sudo systemctl enable crond.service
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.
The crond service is used to execute commands at
preconfigured times. It is required by almost all systems to perform necessary
maintenance tasks, such as notifying root of system activity.
The crond
service can be enabled with the following command:
$ sudo systemctl enable crond.service
Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.