2

I was reading about EvilGnome and how it hijacks a system. One of the interesting thing I read was how it uses crontab

The Linux implant also gains persistence on a targeted system using crontab, similar to windows task scheduler, and sends stolen user data to a remote attacker-controlled server.

In my ubuntu desktop I myself doesn't have any custom cron jobs but when I did service cron status it returned some results.

systemd[1]: Started Regular background program processing daemon. 
cron[916]: (CRON) INFO (pidfile fd = 3)
cron[916]: (CRON) INFO (Running @reboot jobs)
CRON[19931]: pam_unix(cron:session): session opened for user root by (uid=0)
CRON[19932]: (root) CMD (   cd / && run-parts --report /etc/cron.hourly)
CRON[19931]: pam_unix(cron:session): session closed for user root

My question is can I disable cron jobs something like sudo systemctl disable cron.service? Is cron a necessary service for a ubuntu desktop or can I completely remove this from my system?

Eka
  • 2,967
  • 12
  • 38
  • 60
  • "EvilGnome malware masquerades itself as a legit GNOME extension, a program that lets Linux users extend the functionality of their desktops." I would advice against using any extension to start with. It was a bad design decision to start forcing extensions by GNOME developers to begin with. – Rinzwind Jul 17 '19 at 17:49

2 Answers2

2

Note: This is for companies with multi-million dollar yearly operating budgets. It would take a week to setup and requires an hour or two after upgrades to audit and even more to incorporate new scripts from an upgrade.

In comments it was mentioned logrotate gets called daily. This is an important part of Ubuntu for keeping log files down to size. If you are so concerned about cron you pull it fro mservice you would have to create your own script which mimicked cron. I'll call this script crony. You can keep it locked down in a place hackers wouldn't think to look for it.

Let's look at the files in /etc/cron.daily:

-rwxr-xr-x   1 root root   311 Feb 19  2014 0anacron*
-rwxr-xr-x   1 root root   376 Apr  4  2014 apport*
-rwxr-xr-x   1 root root  1474 Oct 31  2016 apt-compat*
-rwxr-xr-x   1 root root   314 Nov 26  2015 aptitude*
-rwxr-xr-x   1 root root   355 Jun  4  2013 bsdmainutils*
-rwxr-xr-x   1 root root   384 Mar 23  2014 cracklib-runtime*
-rwxr-xr-x   1 root root  1597 Nov 26  2015 dpkg*
lrwxrwxrwx   1 root root    37 Jun  4 01:43 google-chrome -> /opt/google/chrome/cron/google-chrome*
-rwxr-xr-x   1 root root  7613 Jan 17  2017 google-earth*
-rwxr-xr-x   1 root root 13944 Mar  4 17:48 google-earth-pro*
-rwxr-xr-x   1 root root   372 Jan 22  2014 logrotate*
-rwxr-xr-x   1 root root  1293 Nov  6  2015 man-db*
-rwxr-xr-x   1 root root   435 Jun 20  2013 mlocate*
-rwxr-xr-x   1 root root   249 Feb 16  2014 passwd*
-rw-r--r--   1 root root   102 Feb  9  2013 .placeholder
-rwxr-xr-x   1 root root  3449 Feb 26  2016 popularity-contest*
-rwxr-xr-x   1 root root   383 Mar  7  2016 samba*
-rwxr-xr-x   1 root root   214 Apr  9  2014 update-notifier-common*
-rwxr-xr-x   1 root root  1046 May 19  2016 upstart*

The script mlocate I don't even use daily. I have it run every 15 minutes because daily isn't enough for my liking. the script popularity-contest is kind of like spyware so I wouldn't call it with crony if I were replacing cron.

I would call all my crony scrips from /etc/rc.local but there are other ways of doing it.

The format would be like this:

$ cat /etc/rc.local

#!/bin/sh -e
#
# rc.local
#
# This script is executed at the end of each multiuser runlevel.
# Make sure that the script will "exit 0" on success or any other
# value on error.
#
# In order to enable or disable this script just change the execution
# bits.
#
# By default this script does nothing.

# Jan 05 2018 - Reload Logitech Unifying Receiver to get Mouse in Power Stats
modprobe -r hid_logitech_dj
modprobe    hid_logitech_dj

# Call crony to mimick cron's duties
# daemonize job   boot delay   sleep interval
crony /etc/cron.daily/mlocate 1m 15m &
crony /etc/cron.daily/logrotate 30m d &
crony /mnt/e/usr/local/bin/daily-backup 5m d &
corny /usr/local/bin/eyesome-sun.sh 1m d &

exit 0

This is what a typical installation has for entries that are already setup in /etc/rc.local along with new crony entries after them. The last two of my crony entries are custom scripts my machine has in /etc/cron.daily

#!/bin/bash

# NAME: crony
# PATH: /usr/local/bin
# DATE: July 17, 2019
# NOTE: For Ask Ubuntu: https://askubuntu.com/questions/1159014/can-we-disable-cron-services-in-desktop

logger "$0"

sleep "$2"

while true; do
    "$1"
    # If if parameter 2 is "d" for 1 day interval we can't sleep for a day
    # because laptop may have been suspended. Use 10 minutes to minimize resources
    sleep 10m
    # Check if time to process job again. If not continue
    continue

done

crony script needs more work but you get the general idea. This may or may not be a good project for WSL (Windows Subsystem for Linux) in which case I may finish it.

WinEunuuchs2Unix
  • 102,282
  • Good news: In 18.04 and newer, Unattended Upgrades shifted from a cron job to a systemd timer. The cron job /etc/cron.daily/apt-compat is for folks who don't use systemd. – user535733 Jul 17 '19 at 17:31
  • logrotate could be a problem: log files not getting compressed. mlocate too. the command locate becomes useless. – Rinzwind Jul 17 '19 at 17:42
2

Yes. BUT there are a couple of tasks active on our systems and those will stop too.

Is cron a necessary service for a ubuntu desktop or can I completely remove this from my system?

I would suggest it is necessary but as always with Linux ... your choice to decide :) Might I suggest another method: why not flag changes to /etc/cron*/, /etc/crontab and /var/spool/cron/crontabs//? That might be a lot less trouble as you get to keep the normal cron jobs active. Just need to create a watchdog and set it loose on those directories.

A run down on cron from my system (yours might have more, the same or less actions) ...

$ ls /etc/cron.daily/
0anacron      cracklib-runtime  man-db              samba
apport        dpkg              mlocate             update-notifier-common
apt-compat    google-chrome     passwd
bsdmainutils  logrotate         popularity-contest


$ ls /etc/cron.weekly/
0anacron  man-db  update-notifier-common

$ ls /etc/cron.monthly/
0anacron

So generally I would investigate any of these (like popularity-contest is all fine and dandy but I could live without it). mlocate might be an issue: that one updates the locate command so could be useful. And so on. EACH of these you could run manually.

Each of the files will have an explanation:

rinzwind@schijfwereld:~$ more /etc/cron.monthly/0anacron 
#!/bin/sh
#
# anacron's cron script
#
# This script updates anacron time stamps. It is called through run-parts
# either by anacron itself or by cron.
#
# The script is called "0anacron" to assure that it will be executed
# _before_ all other scripts.

test -x /usr/sbin/anacron || exit 0
anacron -u cron.monthly

anacron has its own service:

$ systemctl list-unit-files | grep cron
anacron.service                            enabled        
cron.service                               enabled        
anacron.timer                              enabled

Now for the command (stop and start):

sudo systemctl stop crond.service
sudo systemctl start crond.service
sudo systemctl stop anacron.service
sudo systemctl start anacron.service
sudo systemctl stop anacron.timer
sudo systemctl start anacron.timer

(I did not test each of them ;) )

Plus there is more than that: a user cron is also active; you can disable those with ...

sudo touch /var/spool/cron/crontabs/$USER
sudo chmod 0 /var/spool/cron/crontabs/$USER

for every user on your system (make copies of the files please so you can restore them if you want to restore them) (oddly I have not found a systemd service for user crons and I doubt it is dealt with from cron.service).

Rinzwind
  • 299,756