Skip to content

Verify Group Who Owns cron.daily

An XCCDF Rule

Description

To properly set the group owner of /etc/cron.daily, run the command:

$ sudo chgrp root /etc/cron.daily

Rationale

Service configuration files enable or disable features of their respective services that if configured incorrectly can lead to insecure and vulnerable configurations. Therefore, service configuration files should be owned by the correct group to prevent unauthorized changes.

ID
xccdf_org.ssgproject.content_rule_file_groupowner_cron_daily
Severity
Medium
References
Updated



Remediation - Shell Script

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

find -H /etc/cron.daily/ -maxdepth 1 -type d -exec chgrp 0 {} \;

else

Remediation - Ansible

- name: Ensure group owner on /etc/cron.daily/
  file:
    path: /etc/cron.daily/
    state: directory
    group: '0'
  when: ansible_virtualization_type not in ["docker", "lxc", "openvz", "podman", "container"]