| CISA

Audit and Restrict Cron Daemon (CM0109)

In Playbook

Details

ID: CM0109
Version: 1.0
Created: 14 March 2025
Modified: 14 March 2025
Type: Disable, Examine
Status: Active

Intended Outcome

Auditing and restricting the use of the Linux Cron daemon prevents adversary persistence and privilege escalation capabilities.

Introduction

The cron daemon is a time-based job scheduler in Unix-like operating systems, including Linux. It is commonly used for automating system maintenance, running scripts, and executing commands at scheduled intervals. However, adversaries can abuse the cron service to establish persistence, escalate privileges, and execute malicious payloads. This countermeasure aims to provide comprehensive guidance on auditing and restricting the use of the cron daemon to mitigate these risks.

Preparation

Take inventory of all Linux systems and note the presence of the cron utility.
Document all cron jobs currently scheduled on enterprise systems. Identify the user accounts associated with existing cron jobs and the scripts or commands being executed.
Ensure that the cron job configurations are backed up before making any changes.

Risks

Modifying cron job configurations may disrupt scheduled tasks and impact previously automated system operations.
Failure to restrict cron jobs by following the principle of least privilege creates system vulnerabilities that enable potential execution and persistence objectives by an adversary.

Guidance

Auditing Cron Jobs

Utilize the following commands to list cron jobs for all users:

`crontab -l`
`sudo cat /etc/crontab `
`sudo ls -la /etc/cron.d/`

Review the output of these commands, examining each entry for validity and legitimacy of scheduled tasks.
Analyze the scripts and commands executed by cron jobs. Ensure they do not contain malicious or unnecessary instructions. The behavior of the cron jobs should be cross referenced with the ownership and permissions of the scripts executed by them.
Implement file integrity monitoring (FIM) tools to track changes to common cron-related files such as `/etc/crontab`, `/etc/cron.d/`, and `/var/spool/cron/`).
Set up alerts for unauthorized changes to cron job configurations.
It is important to note that adversaries will often delete compromised or malicious cronjobs after they have fulfilled their purposemonitor the system logs (`/var/log/syslog and/or /var/log/cron`) for cases of cronjob deletion.
Implementing organized logging of crontabs and their related jobs. First, ensure that cron job executions are being properly logged under the syslog utility.

Example Capture Cron Job Execution Logs:

/var/log/cron.log" | sudo tee -a /etc/rsyslog.d/50-default.conf`

Instead of defaulting logged output of cronjobs to `/var/log/syslog`, best practices suggest that the output of jobs be logged in separate files based on levels of criticality.

Restricting Cron Jobs

Restrict the use of cron jobs to essential services and administrative tasks.
Disable cron job scheduling for regular users unless absolutely necessary.
Ensure that only authorized users have the necessary permissions to edit and create cron jobs. The following commands exemplify configuration of cron permissions using the `chmod` command:
Additionally, the `cron.allow` and `cron.deny` files should be properly configured so as to limit cron execution under the principle of least privilege.
Restrict access to the crontab directory to prevent unauthorized users from scheduling cron jobs, ensuring regular review of the contents of the `/var/spool/cron/` directory for unauthorized entries.

References

15 Restricting cron and at | https://documentation.suse.com/sles/15-SP3/html/SLES-all/cha-sec-cron-at.html

How to Effectively Monitor and Manage Cron Jobs | https://collabnix.com/how-to-effectively-monitor-and-manage-cron-jobs/