← Rules Catalog
mediumauditverified rollback-safe

Audit uses of the crontab command

audit-cmd-crontab · RHEL ≥ 8 · 1 impl

Description

All uses of the crontab command must be audited. The crontab command manages scheduled tasks which can be abused for persistence.

Rationale

Auditing crontab command usage allows detection of unauthorized scheduled task creation that could be used for malicious persistence.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
persist_file:
/etc/audit/rules.d/50-privileged.rules

Framework references

STIG

V-281130 / RHEL-10-500440V-258193 / RHEL-09-654095V-230447

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#privileged#crontab