{"description": "The <tt>/etc/cron.allow</tt> and <tt>/etc/at.allow</tt> files contain lists of\nusers who are allowed to use <tt>cron</tt> and at to delay execution of\nprocesses. If these files exist and if the corresponding files\n<tt>/etc/cron.deny</tt> and <tt>/etc/at.deny</tt> do not exist, then only users\nlisted in the relevant allow files can run the crontab and <tt>at</tt> commands\nto submit jobs to be run at scheduled intervals. On many systems, only the\nsystem administrator needs the ability to schedule jobs. Note that even if a\ngiven user is not listed in <tt>cron.allow</tt>, cron jobs can still be run as\nthat user. The <tt>cron.allow</tt> file controls only administrative access\nto the crontab command for scheduling and modifying cron jobs.\n<br />\n<br />\nTo restrict <tt>at</tt> and <tt>cron</tt> to only authorized users:\n<ul>\n<li>Remove the <tt>cron.deny</tt> file:<pre>$ sudo rm /etc/cron.deny</pre></li>\n<li>Edit <tt>/etc/cron.allow</tt>, adding one line for each user allowed to use\nthe crontab command to create cron jobs.</li>\n<li>Remove the <tt>at.deny</tt> file:<pre>$ sudo rm /etc/at.deny</pre></li>\n<li>Edit <tt>/etc/at.allow</tt>, adding one line for each user allowed to use\nthe at command to create at jobs.</li>\n</ul>", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["file_at_allow_exists", "file_at_deny_not_exist", "file_cron_allow_exists", "file_cron_deny_not_exist", "file_groupowner_at_allow", "file_groupowner_at_deny", "file_groupowner_cron_allow", "file_owner_at_allow", "file_owner_at_deny", "file_owner_cron_allow", "file_permissions_at_allow", "file_permissions_at_deny", "file_permissions_cron_allow"], "platform": "", "platforms": [], "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "title": "Restrict at and cron to Authorized Users if Necessary", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/cron_and_at/restrict_at_cron_users/group.yml"}