mediumauditverified ✓rollback-safe
Audit scripts and executables called by cron as root or privileged users
audit-cron-scripts · RHEL ≥ 8 · 1 impl
Description
The audit system must be configured to audit any script or executable called by cron when run as root or by any privileged user. This is achieved by auditing executions from cron directories.
Rationale
Cron is commonly used by attackers to maintain persistence. Auditing all executions from cron directories ensures that any malicious scripts scheduled to run as root are detected in the audit log.
Check → Remediate
Checkcommand
auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.d .*-p' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.daily .*-p' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.hourly .*-p' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.monthly .*-p' && \ auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.weekly .*-p' && \ auditctl -l 2>/dev/null | grep -q '^-w /var/spool/cron .*-p'
- expected_exit:
- 0
Remediateaudit_rule_set
- rule:
- -w /etc/cron.d -p wa -k cron
- persist_file:
- /etc/audit/rules.d/50-cron.rules
Framework references
STIG
V-279936 / RHEL-09-654097V-274877
NIST 800-53
AU-2AU-12
Live verification
rhel8:checkrhel9:check
#audit#auditd#cron#privileged