← Rules Catalog
mediumsystemunverified

Ensure permissions on /etc/cron.yearly are configured

cron-yearly-permissions · RHEL ≥ 8 · 1 impl

Description

If the /etc/cron.yearly directory exists, it must be owned by root:root and mode 0700 so only root can add or alter yearly cron jobs.

Rationale

Incorrect permissions on /etc/cron.yearly could allow an unauthorized user to schedule or modify privileged jobs.

Check → Remediate

Checkcommand
d=/etc/cron.yearly
[ -e "$d" ] || { echo "NOT APPLICABLE: $d does not exist"; exit 0; }
mode=$(stat -c '%a' "$d" 2>/dev/null); own=$(stat -c '%U:%G' "$d" 2>/dev/null)
if [ "$own" = "root:root" ] && [ "$(( 0$mode & 077 ))" -eq 0 ]; then
  echo "OK: $d is $own mode $mode"
  exit 0
fi
echo "FAIL: $d is $own mode $mode (want root:root, 0700)"
exit 1
expected_exit:
0
Remediatefile_permissions
path:
/etc/cron.yearly
owner:
root
group:
root
mode:
0700

Framework references

CIS

rhel8 2.4.1.7rhel10 2.4.1.7

NIST 800-53

CM-6
#file-permissions#cron#cis