Enable cron Service

An XCCDF Rule

Description

The crond service is used to execute commands at preconfigured times. It is required by almost all systems to perform necessary maintenance tasks, such as notifying root of system activity. The crond service can be enabled with the following command:

$ sudo systemctl enable crond.service

Rationale

Due to its usage for maintenance and security-supporting tasks, enabling the cron daemon is essential.

ID: xccdf_org.ssgproject.content_rule_service_crond_enabled
Severity: Medium
References: 11 14 3 9

BAI10.01 BAI10.02 BAI10.03 BAI10.05 DSS05.02 DSS05.05 DSS06.06

164.308(a)(4)(i) 164.308(b)(1) 164.308(b)(3) 164.310(b) 164.312(e)(1) 164.312(e)(2)(ii)

4.3.3.5.1 4.3.3.5.2 4.3.3.5.3 4.3.3.5.4 4.3.3.5.5 4.3.3.5.6 4.3.3.5.7 4.3.3.5.8 4.3.3.6.1 4.3.3.6.2 4.3.3.6.3 4.3.3.6.4 4.3.3.6.5 4.3.3.6.6 4.3.3.6.7 4.3.3.6.8 4.3.3.6.9 4.3.3.7.1 4.3.3.7.2 4.3.3.7.3 4.3.3.7.4 4.3.4.3.2 4.3.4.3.3

SR 1.1 SR 1.10 SR 1.11 SR 1.12 SR 1.13 SR 1.2 SR 1.3 SR 1.4 SR 1.5 SR 1.6 SR 1.7 SR 1.8 SR 1.9 SR 2.1 SR 2.2 SR 2.3 SR 2.4 SR 2.5 SR 2.6 SR 2.7 SR 7.6

A.12.1.2 A.12.5.1 A.12.6.2 A.14.2.2 A.14.2.3 A.14.2.4 A.9.1.2

CM-6(a)

PR.IP-1 PR.PT-3

4.1.1.1
Updated: about 1 month ago

Remediation Templates

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - enable_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_crond_enabled
- name: Enable cron Service - Enable service crond
  block:

  - name: Gather the package facts
    package_facts:
      manager: auto

  - name: Enable cron Service - Enable Service crond
    ansible.builtin.systemd:
      name: crond
      enabled: true
      state: started
      masked: false
    when:
    - '"cronie" in ansible_facts.packages'
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - enable_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - service_crond_enabled

[customizations.services]
enabled = ["crond"]

include enable_crond
class enable_crond {
  service {'crond':
    enable => true,
    ensure => 'running',
  }
}

service enable crond

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then
SYSTEMCTL_EXEC='/usr/bin/systemctl'
"$SYSTEMCTL_EXEC" unmask 'crond.service'
"$SYSTEMCTL_EXEC" start 'crond.service'
"$SYSTEMCTL_EXEC" enable 'crond.service'
else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Enable cron Service

Description

Rationale

Remediation Templates

An Ansible Snippet

OS Build Blueprint

A Puppet Snippet

script:kickstart

A Shell Script