← Back to SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

V-976

CAT II (Medium)

Cron must not execute group-writable or world-writable programs.

Rule ID

SV-45576r1_rule

STIG

SUSE Linux Enterprise Server v11 for System z Security Technical Implementation Guide

Version

V1R12

CCIs

CCI-000225

Discussion

If cron executes group-writable or world-writable programs, there is a possibility that unauthorized users could manipulate the programs with malicious intent. This could compromise system and network security.

Check Content

List all cronjobs on the system. 
Procedure:

# ls /var/spool/cron /var/spool/cron/tabs

# ls /etc/crontab /etc/cron.{d,daily,hourly,monthly,weekly}
or 
# ls /etc/cron*|grep -v deny

If cron jobs exist under any of the above directories, use the following command to search for programs executed by cron:

# more <cron job file>

Perform a long listing of each program file found in the cron file to determine if the file is group-writable or world-writable.

# ls -la <cron program file>

If cron executes group-writable or world-writable files, this is a finding.

Fix Text

Remove the world-writable and group-writable permissions from the cron program file(s) identified.
# chmod go-w <cron program file>