======5.1.8 Ensure at/cron is restricted to authorized users (Scored)======
=====Profile Applicability=====
Level 1 - Server
Level 1 - Workstation
=====Description=====
Configure ''/etc/cron.allow'' and ''/etc/at.allow'' to allow specific users to use these services. If ''/etc/cron.allow'' or ''/etc/at.allow'' do not exist, then ''/etc/at.deny'' and ''/etc/cron.deny'' are checked. Any user not specifically defined in those files is allowed to use at and cron. By removing the files, only users in ''/etc/cron.allow'' and ''/etc/at.allow'' are allowed to use at and cron. Note that even though a given user is not listed in cron.allow, cron jobs can still be run as that user. The cron.allow file only controls administrative access to the crontab command for scheduling and modifying cron jobs.
=====Rationale=====
On many systems, only the system administrator is authorized to schedule ''cron'' jobs. Using the ''cron.allow'' file to control who can run ''cron'' jobs enforces this policy. It is easier to manage an allow list than a deny list. In a deny list, you could potentially add a user ID to the system and forget to add it to the deny files.
=====Audit=====
Run the following commands and ensure ''/etc/cron.deny'' and ''/etc/at.deny'' do not exist:
# stat /etc/cron.deny
stat: cannot stat '/etc/cron.deny': No such file or directory
# stat /etc/at.deny
stat: cannot stat '/etc/at.deny': No such file or directory
Run the following command and verify ''Uid'' and ''Gid'' are both ''0/root'' and ''Access'' does not grant permissions to ''group'' or ''other'' for both ''/etc/cron.allow'' and ''/etc/at.allow'':
# stat /etc/cron.allow
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
# stat /etc/at.allow
Access: (0600/-rw-------) Uid: ( 0/ root) Gid: ( 0/ root)
=====Remediation=====
Run the following commands to remove ''/etc/cron.deny'' and ''/etc/at.deny'' and create and set permissions and ownership for ''/etc/cron.allow'' and ''/etc/at.allow'':
# rm /etc/cron.deny
# rm /etc/at.deny
# touch /etc/cron.allow
# touch /etc/at.allow
# chmod og-rwx /etc/cron.allow
# chmod og-rwx /etc/at.allow
# chown root:root /etc/cron.allow
# chown root:root /etc/at.allow