Puppet Class: cis_security_hardening::rules::etc_crond

Defined in:
manifests/rules/etc_crond.pp

Summary

Ensure permissions on /etc/cron.d are configured

Overview

The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab , but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.

Rationale: Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.

Examples:

class { 'cis_security_hardening::rules::etc_crond':
    enforce => true,
}

Parameters:

  • enforce (Boolean) (defaults to: false)

    Enforce the rule



24
25
26
27
28
29
30
31
32
33
34
35
 
# File 'manifests/rules/etc_crond.pp', line 24

class cis_security_hardening::rules::etc_crond (
  Boolean $enforce = false,
) {
  if $enforce {
    file { '/etc/cron.d':
      ensure => directory,
      owner  => 'root',
      group  => 'root',
      mode   => '0700',
    }
  }
}