mediumfilesystemunverified
Ensure cron configuration files are owned and group-owned by root
cron-config-ownership · RHEL ≥ 10 · 1 impl
Description
All cron configuration files and directories under /etc (crontab and the cron.d, cron.daily, cron.hourly, cron.weekly, cron.monthly, cron.deny, and cron.allow entries) must be owned by root and group-owned by root.
Rationale
Cron runs its jobs as root. If a cron configuration file or directory is owned or group-owned by a non-root account, that account could modify scheduled jobs to execute arbitrary commands with root privileges.
Check → Remediate
Checkcommand
fail=0
for f in /etc/cron*; do
[ -e "$f" ] || continue
owner=$(stat -c '%U' "$f" 2>/dev/null)
group=$(stat -c '%G' "$f" 2>/dev/null)
if [ "$owner" != "root" ] || [ "$group" != "root" ]; then
echo "FAIL: $f is owned $owner:$group (must be root:root)"
fail=1
fi
done
if [ "$fail" -eq 0 ]; then
echo "OK: all /etc/cron* files are owned and group-owned by root"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatecommand_exec
chown root:root /etc/cron* 2>/dev/null || true
Framework references
STIG
V-281043 / RHEL-10-400130V-281044 / RHEL-10-400135
NIST 800-53
CM-6
#cron#permissions#ownership#stig