Skip to content

Unauthorized use of the at or cron capabilities must not be permitted.

An XCCDF Rule

Description

<VulnDiscussion>On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in the "cron.allow" file, cron jobs can still be run as that user. The "cron.allow" file only controls administrative access to the "crontab" command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID
SV-216123r603268_rule
Severity
Medium
References
Updated



Remediation - Manual Procedure

The root role is required.

Modify the cron configuration files.

# mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp
# mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp