mediumfilesystemverified ✓rollback-safe
Ensure cron configuration files and directories have OS default permissions
cron-config-permissions · RHEL ≥ 8 · 1 impl
Description
The permissions on cron configuration files and directories must not be more permissive than the operating system defaults.
Rationale
Cron jobs run with elevated privileges. If cron configuration files or directories have permissions more permissive than the OS defaults, unauthorized users may be able to modify scheduled tasks to execute malicious code with elevated privileges.
Check → Remediate
Checkcommand
fail=0
# Check crontab file: must be 0600 or more restrictive
mode=$(stat -c '%a' /etc/crontab 2>/dev/null)
if [ -n "$mode" ] && [ "$((8#$mode & ~8#600))" -ne 0 ]; then
echo "FAIL: /etc/crontab has mode $mode (expected 0600 or more restrictive)"
fail=1
fi
# Check cron directories: must be 0700 or more restrictive
for dir in /etc/cron.d /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly; do
if [ -d "$dir" ]; then
mode=$(stat -c '%a' "$dir" 2>/dev/null)
if [ -n "$mode" ] && [ "$((8#$mode & ~8#700))" -ne 0 ]; then
echo "FAIL: $dir has mode $mode (expected 0700 or more restrictive)"
fail=1
fi
fi
done
if [ "$fail" -eq 0 ]; then
echo "OK: Cron configuration files and directories have correct permissions"
exit 0
fi
exit 1
- expected_exit:
- 0
Remediatefile_permissions
- path:
- /etc/crontab
- mode:
- 0600
- owner:
- root
- group:
- root
Framework references
STIG
V-257888 / RHEL-09-232040
NIST 800-53
AC-6CM-6
Live verification
rhel9:check
#cron#permissions#security#hardening