← Rules Catalog
mediumfilesystemverified rollback-safe

Ensure cron configuration files and directories have OS default permissions

cron-config-permissions · RHEL ≥ 8 · 1 impl

Description

The permissions on cron configuration files and directories must not be more permissive than the operating system defaults.

Rationale

Cron jobs run with elevated privileges. If cron configuration files or directories have permissions more permissive than the OS defaults, unauthorized users may be able to modify scheduled tasks to execute malicious code with elevated privileges.

Check → Remediate

Checkcommand
fail=0
# Check crontab file: must be 0600 or more restrictive
mode=$(stat -c '%a' /etc/crontab 2>/dev/null)
if [ -n "$mode" ] && [ "$((8#$mode & ~8#600))" -ne 0 ]; then
  echo "FAIL: /etc/crontab has mode $mode (expected 0600 or more restrictive)"
  fail=1
fi
# Check cron directories: must be 0700 or more restrictive
for dir in /etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly; do
  if [ -d "$dir" ]; then
    mode=$(stat -c '%a' "$dir" 2>/dev/null)
    if [ -n "$mode" ] && [ "$((8#$mode & ~8#700))" -ne 0 ]; then
      echo "FAIL: $dir has mode $mode (expected 0700 or more restrictive)"
      fail=1
    fi
  fi
done
if [ "$fail" -eq 0 ]; then
  echo "OK: Cron configuration files and directories have correct permissions"
  exit 0
fi
exit 1
expected_exit:
0
Remediatefile_permissions
path:
/etc/crontab
mode:
0600
owner:
root
group:
root

Framework references

STIG

V-257888 / RHEL-09-232040

NIST 800-53

AC-6CM-6

Live verification

rhel9:check
#cron#permissions#security#hardening