3.7.6 Miscellaneous Enhancements - crontab permissions

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

This script checks the permissions of all the root crontab entries, to ensure that they are owned and writable by the root user only.

All root crontab entries must be owned and writable by the root user only. If a script had group or world writable access, it could be replaced or edited with malicious content, which would then subsequently run on the system with root authority.

Solution

Ensure that all root crontab entries are owned and writable by root only.The script below traverses up each individual directory path, ensuring that all directories are not group/world writable and that they are owned by the root or bin user-

crontab -l |egrep -v '^#' |awk '{print $6}' |grep '^/' |sort -u | while read
DIR
do
DIR=${DIR--$(pwd)}
while [[ -a ${DIR} ]]
do
[[ '$(ls -ld ${DIR})' = @(????????w? *) ]] && print ' WARNING ${DIR} is world writable'
[[ '$(ls -ld ${DIR})' = @(?????w???? *) ]] && print ' WARNING ${DIR} is group writable'
[[ '$(ls -ld ${DIR} |awk '{print $3}')' != @(root|bin) ]] && print ' WARNING ${DIR} is not owned by root or bin'
DIR=${DIR%/*}
done
done

NOTE- Review the output and manually change the directories, if possible. Directories which are group and/or world writable or not owned by root are marked with 'WARNING'.

To manually change permissions on the files or directories-
o To remove group writable access- chmod g-w <name>
o To remove world writable access-chmod o-w <name>
o To remove both group and world writable access-chmod go-w <name>
o To change the owner of a file or directory-chown <new user> <name>

See Also

https://workbench.cisecurity.org/files/528