← Rules Catalog
mediumfilesystemunverified

Ensure cron configuration files are owned and group-owned by root

cron-config-ownership · RHEL ≥ 10 · 1 impl

Description

All cron configuration files and directories under /etc (crontab and the cron.d, cron.daily, cron.hourly, cron.weekly, cron.monthly, cron.deny, and cron.allow entries) must be owned by root and group-owned by root.

Rationale

Cron runs its jobs as root. If a cron configuration file or directory is owned or group-owned by a non-root account, that account could modify scheduled jobs to execute arbitrary commands with root privileges.

Check → Remediate

Checkcommand
fail=0
for f in /etc/cron*; do
  [ -e "$f" ] || continue
  owner=$(stat -c '%U' "$f" 2>/dev/null)
  group=$(stat -c '%G' "$f" 2>/dev/null)
  if [ "$owner" != "root" ] || [ "$group" != "root" ]; then
    echo "FAIL: $f is owned $owner:$group (must be root:root)"
    fail=1
  fi
done
if [ "$fail" -eq 0 ]; then
  echo "OK: all /etc/cron* files are owned and group-owned by root"
  exit 0
fi
exit 1
expected_exit:
0
Remediatecommand_exec
chown root:root /etc/cron* 2>/dev/null || true

Framework references

STIG

V-281043 / RHEL-10-400130V-281044 / RHEL-10-400135

NIST 800-53

CM-6
#cron#permissions#ownership#stig