Cron / anacron / at deep audit Linux scheduled-execution persistence — C1-C7, parallel to systemd_audit.
The existing persistence_outlier detector catches
cron entries whose command lives in a writable path.
CronAuditDetector covers the cron-specific patterns
it misses.
Scope
Consumes Artifacts emitted by the existing
linux.cron collector:
cron:<path>— full text of/etc/crontab+/etc/anacrontabcron-dir:<path>— entries[] under/etc/cron.{d,hourly,daily,weekly,monthly},/var/spool/cron,/var/spool/cron/crontabs,/var/spool/anacron,/var/spool/at
Per-line parsing handles both shapes:
minute hour dom month dow user command(/etc/crontab,/etc/cron.d/*)minute hour dom month dow command(/var/spool/cron/*)
Env-var lines (SHELL=, MAILTO=) and
@<keyword> shortcuts are skipped at parse time.
Detection layers (C1–C7)
| ID | Severity | What it catches | MITRE |
|---|---|---|---|
| C1 | high → critical | Network-fetch in entry body (curl/wget/nc/socat/python-socket). Cron downloading on schedule = payload-rotation primitive. Critical for pipe-to-shell. | T1053.003 |
| C2 | medium | Long base64 / escaped-hex sequence. | T1027 |
| C3 | high | Command in user-writable path. Whoever can write to that target edits what cron runs. | T1053.003 |
| C4 | critical | root-context entry with command outside /usr/sbin /usr/bin /sbin /bin /opt /usr/local. Canonical Linux escalation via cron. | T1053.003 |
| C5 | medium | @reboot persistence — runs on every boot. | T1037 |
| C6 | medium | at-job present in /var/spool/at. Delayed exec / anti-sandbox primitive. | T1053.001 |
| C7 | medium | Schedule fires more often than every 5 minutes. * * * * * = 60s; */N * * * * = 60N; 0 * * * * = 3600; 0 */N * * * = 3600N. Beacon-shape cadence. | T1053.003 |
No new CLI needed
The cron collector already runs as part of
digger collect; the detector runs at
digger scan time.