← Rules Catalog
mediumaccess-controlverified rollback-safe

Configure cron access control

cron-access-control · RHEL ≥ 8 · 1 impl

Description

Cron access should be restricted using /etc/cron.allow. When cron.allow exists, only users listed can use cron. The cron.deny file should not exist or be empty.

Rationale

Unrestricted cron access allows any user to schedule tasks. Limiting access to specific users reduces the attack surface and prevents unauthorized users from scheduling potentially malicious jobs.

Check → Remediate

Checkcommand
# CIS: /etc/cron.allow must exist and be mode 0640 or MORE restrictive,
# owner root, group root or crontab; /etc/cron.deny (if present) likewise.
[ -e /etc/cron.allow ] || { echo "FAIL: /etc/cron.allow does not exist"; exit 1; }
fail=0
for f in /etc/cron.allow /etc/cron.deny; do
  [ -e "$f" ] || continue
  mode=$(stat -c '%a' "$f" 2>/dev/null); own=$(stat -c '%U' "$f" 2>/dev/null); grp=$(stat -c '%G' "$f" 2>/dev/null)
  [ "$(( 0$mode & 037 ))" -eq 0 ] || { echo "FAIL: $f mode $mode (want 0640 or more restrictive)"; fail=1; }
  [ "$own" = "root" ] || { echo "FAIL: $f owner $own (want root)"; fail=1; }
  case "$grp" in root|crontab) : ;; *) echo "FAIL: $f group $grp (want root or crontab)"; fail=1 ;; esac
done
[ "$fail" -eq 0 ] && { echo "OK: crontab access is configured"; exit 0; }
exit 1
expected_exit:
0
Remediatefile_content
path:
/etc/cron.allow
content:
root
owner:
root
group:
root
mode:
0600

Framework references

CIS

rhel9 2.4.1.8rhel8 2.4.1.9rhel10 2.4.1.9

NIST 800-53

AC-3AC-6CM-6

Live verification

rhel10:checkrhel8:checkrhel9:check
#cron#access-control#security