Macintosh OS X Workstation STIG, V1R1 

DISA Field Security Operations 

15 June 2004 

          Developed by DISA for the DOD 

3.10  Cron Access  

Cron is a job scheduling utility.  It controls jobs configured to run in the background on a 

recurring schedule.  Cron determines the schedule and the jobs from configuration files called 

crontabs.  It keeps track of each specific crontab creator and executes the programs with all the 

privileges of the crontab creator.  Because of that, crontab entries will not execute world or group 

writable programs nor will the programs be in a world writable directory or a directory tree that 

contains a directory that is world writable.  Cron will be enabled only for root on all Mac OS X 

workstations.  This is so the Mac can run a nightly job that cleans up the system and refreshes the 

locate databases.  Cron for jobs should not be used on the workstation (server is covered later).  

To do this the following three things will need to be done:  

   Create an allow in /var/adm/ and put NO ONE in it except for root. 

   Set permissions to 700 on allow. 

   Give Cron permissions of 700. 

(OSX1026SVR0021:  CAT II) The SA will ensure no Cron jobs execute on Mac OS X 

workstations. 

3.10.1  Access Controls 

Access to the use of Cron facilities will be authorized and documented with the IAO.  In 

addition, Cron uses a file called allow, populated by the SA, to determine which users are 

authorized to create crontabs.  It uses a file called deny, also populated by the SA, to deny access 

to specific users.  The allow and deny files, if they exist, are usually located in/var/adm/.  

Specific locations can be determined by performing the man Cron command, which should 

mention their locations.  If allow is used, there is no absolute need to also have a deny file, 

because users not in the allow file will not have access anyway.  If there are no allow and deny 

files, the system assumes either everybody can access Cron or nobody can access Cron, 

depending on the system.  Therefore, every system will have either a allow file listing authorized 

Cron users, or a deny file, listing users not authorized to use the Cron. 

3.10.2  Access Permissions and Owners 

The maximum access permissions for the allow and deny files will be 700.  The owners of the 

allow and deny files, where they exist, will be root, bin, or sys.  The owner for the cronlog files 

will be root.  The group owner of the cronlog file will be root or another privileged user such as 

sys or bin. 

Other files and directories associated with Cron will be owned by root or bin with a group owner 

of root, bin, or sys.  Crontabs will be owned by root with a group owner the same as the group of 

the crontab creator.  Crontabs will have a maximum access permission of 600.  The access 

permissions for the Cron and crontab directories will be 755, or more restrictive. 

(OSX1026SVR0022:  CAT II): The group owner of the cronlog file will be root or another 

privileged user such as sys or bin. 

3.10.3  Cron on Mac OS X server 

33

UNCLASSIFIED