mediumaccess-controlverified ✓rollback-safe
Configure cron access control
cron-access-control · RHEL ≥ 8 · 1 impl
Description
Cron access should be restricted using /etc/cron.allow. When cron.allow exists, only users listed can use cron. The cron.deny file should not exist or be empty.
Rationale
Unrestricted cron access allows any user to schedule tasks. Limiting access to specific users reduces the attack surface and prevents unauthorized users from scheduling potentially malicious jobs.
Check → Remediate
Checkcommand
# CIS: /etc/cron.allow must exist and be mode 0640 or MORE restrictive,
# owner root, group root or crontab; /etc/cron.deny (if present) likewise.
[ -e /etc/cron.allow ] || { echo "FAIL: /etc/cron.allow does not exist"; exit 1; }
fail=0
for f in /etc/cron.allow /etc/cron.deny; do
[ -e "$f" ] || continue
mode=$(stat -c '%a' "$f" 2>/dev/null); own=$(stat -c '%U' "$f" 2>/dev/null); grp=$(stat -c '%G' "$f" 2>/dev/null)
[ "$(( 0$mode & 037 ))" -eq 0 ] || { echo "FAIL: $f mode $mode (want 0640 or more restrictive)"; fail=1; }
[ "$own" = "root" ] || { echo "FAIL: $f owner $own (want root)"; fail=1; }
case "$grp" in root|crontab) : ;; *) echo "FAIL: $f group $grp (want root or crontab)"; fail=1 ;; esac
done
[ "$fail" -eq 0 ] && { echo "OK: crontab access is configured"; exit 0; }
exit 1
- expected_exit:
- 0
Remediatefile_content
- path:
- /etc/cron.allow
- content:
- root
- owner:
- root
- group:
- root
- mode:
- 0600
Framework references
CIS
rhel9 2.4.1.8rhel8 2.4.1.9rhel10 2.4.1.9
NIST 800-53
AC-3AC-6CM-6
Live verification
rhel10:checkrhel8:checkrhel9:check
#cron#access-control#security