UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

Unauthorized use of the at or cron capabilities must not be permitted.


Overview

Finding ID Version Rule ID IA Controls Severity
V-48125 SOL-11.1-040420 SV-60997r1_rule Medium
Description
On many systems, only the system administrator needs the ability to schedule jobs. Even though a given user is not listed in the "cron.allow" file, cron jobs can still be run as that user. The "cron.allow" file only controls administrative access to the "crontab" command for scheduling and modifying cron jobs. Much more effective access controls for the cron system can be obtained by using Role-Based Access Controls (RBAC).
STIG Date
Solaris 11 SPARC Security Technical Implementation Guide 2015-06-26

Details

Check Text ( C-50557r1_chk )
Check that "at" and "cron" users are configured correctly.

# ls /etc/cron.d/cron.deny
If cron.deny exists, this is a finding.

# ls /etc/cron.d/at.deny
If at.deny exists, this is a finding.

# cat /etc/cron.d/cron.allow
cron.allow should have a single entry for "root'

# wc -l /etc/cron.d/at.allow | awk '{ print $1 }'

If the output is non-zero, this is a finding.
Fix Text (F-51733r2_fix)
The root role is required.

Modify the cron configuration files.

# mv /etc/cron.d/cron.deny /etc/cron.d/cron.deny.temp
# mv /etc/cron.d/at.deny /etc/cron.d/at.deny.temp
# echo root > /etc/cron.d/cron.allow
# cp /dev/null /etc/cron.d/at.allow
# chown root:root /etc/cron.d/cron.allow /etc/cron.d/at.allow
# chmod 400 /etc/cron.d/cron.allow /etc/cron.d/at.allow