← Back to IBM AIX 7.x Security Technical Implementation Guide

V-215192

CAT II (Medium)

AIX default system accounts (with the exception of root) must not be listed in the cron.allow file or must be included in the cron.deny file, if cron.allow does not exist.

Rule ID

SV-215192r991589_rule

STIG

IBM AIX 7.x Security Technical Implementation Guide

Version

V3R2

CCIs

CCI-000366

Discussion

To centralize the management of privileged account crontabs, of the default system accounts, only root may have a crontab.

Check Content

Check the "cron.allow" and "cron.deny" files for the system using commands:
# more /var/adm/cron/cron.allow 
# more /var/adm/cron/cron.deny 

If the "cron.allow" file exists and is empty, this is a finding.

If a default system account (such as bin, sys, adm, or lpd) is listed in the "cron.allow" file, or not listed in the "cron.deny" file, this is a finding.

Fix Text

Remove default system accounts (such as bin, sys, adm, or lpd) from the "cron.allow" file, or add those accounts to the "cron.deny" file.