cfbs add cron-access
The cron utility enables running commands or programs periodically.
System-wide cron-related configuration files exist in the /etc directory.
For these files, enforcing strict access is essential, as editing them allows you to run commands as any user, including root.
Recommendation: Limit access to the various cron-related files and directories in /etc.
All of them should be owned by root and have group set to root as well.
For the directories, permissions should be 0700.
The /etc/crontab file should have permissions 0600, and /etc/cron.allow can have slightly less restrictive permissions, 0640.
This module continuosly enforces owners, groups and permission bits on all of these files and directories.
On a single machine, you can also set this from the command line:
$ sudo chown root /etc/cron.allow
$ sudo chgrp root /etc/cron.allow
$ sudo chmod 0640 /etc/cron.allow
$ sudo chown root /etc/crontab
$ sudo chgrp root /etc/crontab
$ sudo chmod 0600 /etc/crontab
$ sudo chown root /etc/cron.d
$ sudo chgrp root /etc/cron.d
$ sudo chmod 0700 /etc/cron.d
$ sudo chown root /etc/cron.hourly
$ sudo chgrp root /etc/cron.hourly
$ sudo chmod 0700 /etc/cron.hourly
$ sudo chown root /etc/cron.daily
$ sudo chgrp root /etc/cron.daily
$ sudo chmod 0700 /etc/cron.daily
$ sudo chown root /etc/cron.weekly
$ sudo chgrp root /etc/cron.weekly
$ sudo chmod 0700 /etc/cron.weekly
$ sudo chown root /etc/cron.monthly
$ sudo chgrp root /etc/cron.monthly
$ sudo chmod 0700 /etc/cron.monthly
If you modify one of these files and run the agent with this module, you should see it fixed:
$ chmod 0777 /etc/cron.d
$ cf-agent -KI
info: Object '/etc/cron.d' had permissions 0777, changed it to 0700
This module has no dependencies