漏洞描述
/etc/cron.allow and /etc/cron.deny (if present) were required to be owned by root (UID 0) with strict 640 permissions.If neither file existed, only the root user could use cron, which was considered the safe default behavior.
linux-cron-permissions-check: Cron Access File Ownership & Permissions
PoC代码[已公开]
id: linux-cron-permissions-check
info:
name: Cron Access File Ownership & Permissions
author: songyaeji
severity: high
description: |
/etc/cron.allow and /etc/cron.deny (if present) were required to be owned by root (UID 0) with strict 640 permissions.If neither file existed, only the root user could use cron, which was considered the safe default behavior.
reference:
- https://isms.kisa.or.kr
tags: local,linux,audit,kisa,compliance
self-contained: true
code:
- engine:
- bash
source: |
result=""
check_file() {
file=$1
if [ -f "$file" ]; then
owner=$(stat -c "%u" "$file") # numeric UID
perm=$(stat -c "%a" "$file") # permissions
if [ "$owner" -ne 0 ] || [ "$perm" -ne 640 ]; then
result+="[WARN] $file misconfigured\n"
fi
fi
}
check_file /etc/cron.allow
check_file /etc/cron.deny
if [ -n "$result" ]; then
echo -e "$result"
else
if [ ! -f /etc/cron.allow ] && [ ! -f /etc/cron.deny ]; then
echo "[OK] no cron access files found (default safe behavior)"
else
echo "[OK] cron files properly configured"
fi
fi
matchers:
- type: word
part: response
words:
- "[WARN] /etc/cron.allow misconfigured"
- "[WARN] /etc/cron.deny misconfigured"
# digest: 490a004630440220180a1385922d6792b7c466fde7a1f487c47fe0525a02e7adf73eea1cc50e8d100220684a7e5fd3ca7898c61cde73008a3725f8753709b7ea323a254b27a075c3ff1f:922c64590222798bb761d5b6d8e72950