To edit or create your own crontab file, type the following command at the UNIX / Linux shell prompt:
crontab -e
No. Cron will examine the modification time on all crontabs and reload those which have changed. Thus cron need not be restarted whenever a crontab file is modified.
* * * * * command to be executed - - - - - | | | | | | | | | ----- Day of week (0 - 7) (Sunday=0 or 7) | | | ------- Month (1 - 12) | | --------- Day of month (1 - 31) | ----------- Hour (0 - 23) ------------- Minute (0 - 59)
Description:
The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file.
Audit:
Run the following command and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other :
stat /etc/crontab
Remediation:
Run the following commands to set ownership and permissions on /etc/crontab :
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
You can also set minimal permissions on cron.hourly, cron.daily, cron.weekly and cron.monthly.
First check if /etc/cron.deny and /etc/cron.allow exist on your system.
stat /etc/cron.deny
stat /etc/at.deny
If /etc/cron.deny exist you can delete it, and run following commands:
rm /etc/cron.deny
touch /etc/cron.allow
chown root:root /etc/cron.allow
chmod g-wx,o-rwx /etc/cron.allow
We prefer to go with whitelisting, so in that file cron.allow you can specify who is authorized to run cron jobs. If user is not whitelisted, he will be warned by system:
/etc/cron.allow: Permission denied
You (alvosec) are not allowed to use this program (crontab)
See crontab(1) for more information
Beside setting right permissions, never run sensitive information in cron job line, due to local attacks. Always run as a script, in example cron.sh.
