CCE-95090-7Platform: cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2020-10-15 (M)2023-09-01 |
The /etc/cron.d directory contains system cron jobs that need to run in a similar manner to the hourly, daily weekly and monthly jobs from /etc/crontab, but require more granular control as to when they run. The files in this directory cannot be manipulated by the crontab command, but are instead edited by system administrators using a text editor. The commands below restrict read/write and search access to user and group root, preventing regular users from accessing this directory.
UID - User Identifier is a number assigned by Linux to each user on the system. This number is used to identify the user to the system and to determine which system resources the user can access. UIDs are stored in the /etc/passwd file:
Rationale:
Granting write access to this directory for non-privileged users could provide them the means for gaining unauthorized elevated privileges. Granting read access to this directory could give an unprivileged user insight in how to gain elevated privileges or circumvent auditing controls.
Fix:
# chown root:root /etc/cron.d
# chmod og-rwx /etc/cron.d
Parameter:
[root user owns, root group owns, permission 700]
Technical Mechanism:
# chown root:root /etc/cron.d
# chmod og-rwx /etc/cron.d
CCSS Severity: | CCSS Metrics: |
CCSS Score : 6.8 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 4.2 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H | Scope: UNCHANGED |
| Confidentiality: NONE |
| Integrity: LOW |
| Availability: HIGH |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:65987 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92275 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85164 |