How to set up secure cron job

2022-05-19
Mirsad

How do I install or create or edit my own cron jobs?

To edit or create your own crontab file, type the following command at the UNIX / Linux shell prompt:

crontab -e

Do I have to restart cron after changing the crontable file?

No. Cron will examine the modification time on all crontabs and reload those which have changed. Thus cron need not be restarted whenever a crontab file is modified.

Syntax of crontab

* * * * * command to be executed
- - - - -
| | | | |
| | | | ----- Day of week (0 - 7) (Sunday=0 or 7)
| | | ------- Month (1 - 12)
| | --------- Day of month (1 - 31)
| ----------- Hour (0 - 23)
------------- Minute (0 - 59)

How to secure it?

Description:

The /etc/crontab file is used by cron to control its own jobs. The commands in this item make sure that root is the user and group owner of the file and that only the owner can access the file.

Audit:

Run the following command and verify Uid and Gid are both 0/root and Access does not grant permissions to group or other :

stat /etc/crontab

Remediation:

Run the following commands to set ownership and permissions on /etc/crontab :

chown root:root /etc/crontab
chmod og-rwx /etc/crontab

You can also set minimal permissions on cron.hourly, cron.daily, cron.weekly and cron.monthly.

Ensure cron is restricted to authorized users

First check if /etc/cron.deny and /etc/cron.allow exist on your system.

stat /etc/cron.deny
stat /etc/at.deny

If /etc/cron.deny exist you can delete it, and run following commands:

rm /etc/cron.deny
touch /etc/cron.allow
chown root:root /etc/cron.allow
chmod g-wx,o-rwx /etc/cron.allow

We prefer to go with whitelisting, so in that file cron.allow you can specify who is authorized to run cron jobs. If user is not whitelisted, he will be warned by system:

/etc/cron.allow: Permission denied
You (alvosec) are not allowed to use this program (crontab)
See crontab(1) for more information

Beside setting right permissions, never run sensitive information in cron job line, due to local attacks. Always run as a script, in example cron.sh.

Alvosec is Block Producer for Proton

Download WebAuth.com wallet and earn daily staking rewards.

vote for us

Ready for Action?

Don’t hesitate to contact us if you need more information.
Let's Go!
ALVOSEC
BTC: bc1qnn4zfqqtexl4fkjk2vz6tk74sn92x326wwn0ph

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram