← Rules Catalog
mediumauditverified rollback-safe

Audit scripts and executables called by cron as root or privileged users

audit-cron-scripts · RHEL ≥ 8 · 1 impl

Description

The audit system must be configured to audit any script or executable called by cron when run as root or by any privileged user. This is achieved by auditing executions from cron directories.

Rationale

Cron is commonly used by attackers to maintain persistence. Auditing all executions from cron directories ensures that any malicious scripts scheduled to run as root are detected in the audit log.

Check → Remediate

Checkcommand
auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.d .*-p' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.daily .*-p' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.hourly .*-p' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.monthly .*-p' && \
auditctl -l 2>/dev/null | grep -q '^-w /etc/cron\.weekly .*-p' && \
auditctl -l 2>/dev/null | grep -q '^-w /var/spool/cron .*-p'
expected_exit:
0
Remediateaudit_rule_set
rule:
-w /etc/cron.d -p wa -k cron
persist_file:
/etc/audit/rules.d/50-cron.rules

Framework references

STIG

V-279936 / RHEL-09-654097V-274877

NIST 800-53

AU-2AU-12

Live verification

rhel8:checkrhel9:check
#audit#auditd#cron#privileged