Friday, September 1, 2017

6 - Linux security: handling usage restrictions for CRON / CRONTAB services


- Layout for this exercise:

cron is a time-based job scheduler in Unix-like computer operating systems.

- cron can be used to schedule jobs (commands or shell scripts) to run periodically at fixed times, dates, or intervals. 

- It typically automates system maintenance or administration though its general purpose nature makes it useful for things like downloading files from the Internet and downloading email at regular intervals.

- cron is driven by a crontab (cron table) file, a configuration file that specifies shell commands to run periodically on a given schedule. 

- The crontab files are stored where the lists of jobs and other instructions to the cron daemon are kept. 

- Users can have their own individual crontab files and often there is a system wide crontab file (usually in /etc or a subdirectory of /etc) that only system administrators can edit.

- Reference for cron

- Reference for crontab:

- These two files play an important role:

/etc/cron.allow - if this file exists it must contain username for using cron jobs.

/etc/cron.deny - if the cron.allow file does not exist but the /etc/cron.deny file does exist then, to use cron jobs, the user must not be listed in the /etc/cron.deny file.

 - If neither of these files exist then, depending on site-dependent configuration parameters, either only the super user can use cron jobs, or all users can use cron jobs. 

- However, it is important to notice that root is always allowed to setup a crontab:

- Creating a cron.allow file to include the user johndoe:

- Going back to johndoe user account:

- Editing crontab for johndoe:

- Let's see what files are related with cron:

- Removing cron.allow:

- Specifically denying crontab access to johndoe by creating cron.deny:

- Now, johndoe is not allowed to use crontab: