Restricting cron Access

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
21 hours 25 minutes
Difficulty
Intermediate
CEU/CPE
21
Video Transcription
00:00
>> Hey there, Cybrarians.
00:00
>> Welcome back to the Linux+ course here at Cybrary.
00:00
>> I'm your instructor, Rob Goelz.
00:00
In today's lesson,
00:00
>> we're going to be covering restricting cron access.
00:00
>> Upon completion of today's lesson,
00:00
you are going to be able to understand
00:00
>> the purpose and benefits of restricting cron access,
00:00
>> just generally denying jobs from running.
00:00
We're going to explain how we can restrict
00:00
that job access using deny or allow files.
00:00
The Linux+ material only specifically mentions cron,
00:00
but you've got to remember that both cron
00:00
>> and the at command can be used to schedule jobs.
00:00
>> Users have cron and at to execute code
00:00
>> or run jobs after hours.
00:00
>> Users do this a lot.
00:00
They might target this time
00:00
>> due to limited activity in the system
00:00
>> and that could allow them to get preferential access
00:00
>> when no one else is around
00:00
>> or when they think no one else is around.
00:00
>> Unfortunately, this often leads to abuse.
00:00
Users are sometimes trying to run code
00:00
>> that they know they're not supposed to run
00:00
>> thinking no one's watching,
00:00
or maybe they're trying new code
00:00
>> that they don't think will impact others,
00:00
>> but they want to try it when no one is around
00:00
>> so they won't get in trouble if it does.
00:00
>> Unfortunately, what generally winds up happening,
00:00
is they run something they shouldn't run after hours
00:00
>> and then the system administrator
00:00
>> gets woken up early in the morning
00:00
>> to troubleshoot the system that is impacted,
00:00
>> so never really a fun time
00:00
>> for the system administrator.
00:00
>> Luckily, both cron and at
00:00
>> have the same method for restricting job access.
00:00
>> That is, we could use the allow list
00:00
and the deny lists files.
00:00
For the allow lists,
00:00
>> it's going to be etc/cron.allow or etc/at.allow.
00:00
>> Any accounts that are placed into this list
00:00
>> are going to be allowed to schedule jobs.
00:00
>> Then there's cron.deny and etc/at.deny,
00:00
and accounts that are in here
00:00
>> are prevented from scheduling jobs.
00:00
>> This works somewhat similar
00:00
to what we've seen with allow and deny files before
00:00
>> and generally, if it allow file exist,
00:00
>> that means that only users in the file
00:00
and the root user can scheduled jobs.
00:00
Anybody who's not in that file
00:00
>> can't schedule jobs, period.
00:00
>> Now, if the allow file doesn't exist
00:00
>> and the deny file does,
00:00
>> that means that users in the deny file
00:00
are prevented from scheduling jobs,
00:00
but everyone else could schedule them just fine.
00:00
Then if neither file exists,
00:00
that means that only root can manage cron.
00:00
Going back to what we were talking about,
00:00
you may want to restrict certain users
00:00
>> from doing things off hours,
00:00
>> if they're known for being frequent flyers,
00:00
>> or you may want to have a script in place
00:00
>> that puts all of the users
00:00
>> into a deny file after hours,
00:00
and it pulls them back during real or working hours
00:00
>> to make sure that they're not doing stuff
00:00
>> they shouldn't be doing.
00:00
>> Otherwise, you could also set time
00:00
>> and use restrictions using things like Pam,
00:00
>> like we talked about previously.
00:00
But this is just another method
00:00
>> that you could use for restricting job access,
00:00
>> specifically at the job level
00:00
>> using this cron allow, deny
00:00
>> and at allow and at deny files.
00:00
>> We've reached the end of this lesson
00:00
and in this lesson, we covered the purpose
00:00
>> and benefits of restricting cron access,
00:00
>> and we also talked about how to restrict job access.
00:00
We can do that using the deny or allow files
00:00
>> for cron and at.
00:00
>> Thank you so much for being here,
00:00
>> and I look forward to seeing you in the next lesson.
Up Next