mediumauditverified ✓rollback-safe
Audit uses of the crontab command
audit-cmd-crontab · RHEL ≥ 8 · 1 impl
Description
All uses of the crontab command must be audited. The crontab command manages scheduled tasks which can be abused for persistence.
Rationale
Auditing crontab command usage allows detection of unauthorized scheduled task creation that could be used for malicious persistence.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
Remediateaudit_rule_set
- rule:
- -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged
- persist_file:
- /etc/audit/rules.d/50-privileged.rules
Framework references
STIG
V-281130 / RHEL-10-500440V-258193 / RHEL-09-654095V-230447
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#privileged#crontab