CRONTAB file contents (UNIX)

Module: System Queues

This check looks at the contents of the crontabs on the system. Each command in the crontab is examined for configuration files and executable programs. Each of the executables and configuration files are checked for group or world permissions. Use the file list to exclude executables and configuration files from the check. Specify full path names in the file list.

The following table lists the error messages for the check.

Table: Error messages for CRONTAB file contents

Message String ID and Category	Platform and Message Numeric ID	Message Title and Description	Additional Information
String ID: STKU_CRONMODE Category: Policy Compliance	UNIX (5938)	Title: Crontab grants read/write permissions Description:These crontabs grant read or write permissions to group or others. This is a security problem because other users can read or write these crontabs. You should change the crontab permissions so that only owners may read and write these crontabs.	Severity: red-4 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: STKU_CRONNOTMATCHED Category: Policy Compliance	UNIX (5939)	Title: Crontab not matched by a user account Description:These crontabs do not correspond to user accounts on your system. While not generally a security risk, a crontab file that does not correspond to any user account is an inconsistency in your system. You should remove crontabs that do not have corresponding user accounts.	Severity: green-0 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: STKU_CRONOWNERDIFF Category: Policy Compliance	UNIX (5940)	Title: Crontab is owned by another user Description:These crontabs are owned by other users. This is a security problem because the intended users do not have access to their own crontabs and other users can read and write these crontabs. Review the crontabs list and change ownership to the correct users.	Severity: yellow-1 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: STKU_CRONWW Category: Policy Compliance	UNIX (5941)	Title: World writable file referenced in crontab file Description:These files are referenced in a crontab file and are world writable. This is a security concern because there is no control over who can modify these files. Files referenced in crontab files are executed or read on a periodic basis. Anyone can replace these files and have them executed or read in another user's account the next time cron runs. You should correct this problem by changing the permissions on each file (chmod o-w filename) so that world write is not allowed.	Severity: red-4 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: STKU_CRONGW Category: Policy Compliance	UNIX (5942)	Title: Group writable file referenced in crontab file Description:These files are referenced in a crontab file and are group writable. This can be a security concern because anyone with group access can modify these files. Files referenced in crontab files are executed or read on a periodic basis. Anyone with group access can replace these files and have them executed or read in another user's account the next time cron runs. You should correct this problem by changing the permissions on each file (chmod g-w filename) so that group write is not allowed.	Severity: yellow-1 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: STKU_CRONNSUSER Category: Policy Compliance	UNIX (5943)	Title: Non-existent user configured for cron or at Description:This user is listed in one or more of the cron and batch configuration files but do not exist on the system. This can represent a security breach if the named accounts are later recreated and either granted cron or at access without authority or denied cron or at access when they should have authority. You should correct this problem by removing the listed users from the indicated files.	Severity: green-0 Correctable: false Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]
String ID: STKU_CRONOWNNOTROOT Category: Policy Compliance	UNIX (5944)	Title: Crontab not owned by root Description:This user crontab file is not owned by root. This is a security problem because the owner and possibly others may be able to edit these files directly without using the crontab utility program. You should carefully review the list and change user ownership to root.	Severity: red-4 Correctable: true Snapshot Updatable: false Template Updatable: false Information Field Format: [%s]

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: STKU_CRONMODE

Category: Policy Compliance

UNIX (5938)

Title: Crontab grants read/write permissions

Description:These crontabs grant read or write permissions to group or others. This is a security problem because other users can read or write these crontabs. You should change the crontab permissions so that only owners may read and write these crontabs.

Severity: red-4

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_CRONNOTMATCHED

Category: Policy Compliance

UNIX (5939)

Title: Crontab not matched by a user account

Description:These crontabs do not correspond to user accounts on your system. While not generally a security risk, a crontab file that does not correspond to any user account is an inconsistency in your system. You should remove crontabs that do not have corresponding user accounts.

Severity: green-0

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_CRONOWNERDIFF

Category: Policy Compliance

UNIX (5940)

Title: Crontab is owned by another user

Description:These crontabs are owned by other users. This is a security problem because the intended users do not have access to their own crontabs and other users can read and write these crontabs. Review the crontabs list and change ownership to the correct users.

Severity: yellow-1

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_CRONWW

Category: Policy Compliance

UNIX (5941)

Title: World writable file referenced in crontab file

Description:These files are referenced in a crontab file and are world writable. This is a security concern because there is no control over who can modify these files. Files referenced in crontab files are executed or read on a periodic basis. Anyone can replace these files and have them executed or read in another user's account the next time cron runs. You should correct this problem by changing the permissions on each file (chmod o-w filename) so that world write is not allowed.

Severity: red-4

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_CRONGW

Category: Policy Compliance

UNIX (5942)

Title: Group writable file referenced in crontab file

Description:These files are referenced in a crontab file and are group writable. This can be a security concern because anyone with group access can modify these files. Files referenced in crontab files are executed or read on a periodic basis. Anyone with group access can replace these files and have them executed or read in another user's account the next time cron runs. You should correct this problem by changing the permissions on each file (chmod g-w filename) so that group write is not allowed.

Severity: yellow-1

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_CRONNSUSER

Category: Policy Compliance

UNIX (5943)

Title: Non-existent user configured for cron or at

Description:This user is listed in one or more of the cron and batch configuration files but do not exist on the system. This can represent a security breach if the named accounts are later recreated and either granted cron or at access without authority or denied cron or at access when they should have authority. You should correct this problem by removing the listed users from the indicated files.

Severity: green-0

Correctable: false

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]

String ID: STKU_CRONOWNNOTROOT

Category: Policy Compliance

UNIX (5944)

Title: Crontab not owned by root

Description:This user crontab file is not owned by root. This is a security problem because the owner and possibly others may be able to edit these files directly without using the crontab utility program. You should carefully review the list and change user ownership to root.

Severity: red-4

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]