View Other Properties

Contents

View Other Properties

How to List Crontab Entries Across All Mac, Windows, and Linux Devices

Using Kolide, you can easily view and query Crontab Entries across your fleet.

Introduction

macOS and Linux devices have a file called crontab which is responsible for managing scheduled tasks. A crontab file contains the instruction set for a device's cron daemon in the following simplified manner: "run X command, at Y time, on Z date". Each user can define their own crontab. Commands defined in a crontab are executed under the user (with their accompanying permissions) who owns that particular crontab.

The crontab inventory contains information about the commands scheduled to run, the user context to run them in, and the interval they will run on.

What Crontab Entry Data Can Kolide Collect?

Kolide's endpoint agent bundles in osquery to efficiently collect Crontab Entries from Mac, Windows, and Linux devices in your fleet. Once collected, Kolide will parse, clean up, and centrally store this data in Inventory for your team to view, query, or export via API.

Kolide meticulously documents every piece of data returned so you can understand the results.

Crontab Entries Schema

Column Type Description
id Primary Key

Unique identifier for the object

device_id Foreign Key

Device associated with the entry

device_name Text

Display name of the device associated with the entry

command Text

Raw command string

day_of_month Text

The day of the month for the job

day_of_week Text

The day of the week for the job

event Text

The job @event name (rare)

hour Text

The hour of the day for the job

minute Text

The exact minute for the job

month Text

The month of the year for the job

path Text

File parsed

collected_at Timestamp

Time the row of data was first collected in the database

updated_at Timestamp

Time the row of data was last changed in the database

Why Should I Collect Crontab Entries?

Because crontab has the ability to silently execute commands on a device on a recurring basis, it is a common target for malware in order to act as a persistence mechanism. For example, if a malicious piece of software wanted to exfiltrate the contents of your Chrome Browser history, it could schedule a cronjob which posted a remote connection to a filedrop URL and uploaded your Chrome/History database.

For this reason, it is important for IT administrators to be able to review and audit the contents of the crontab to ensure no malicious entries have been made which might be indicators of compromise.

End-User Privacy Consideration

Kolide practices Honest Security. We believe that data should be collected from end-user devices transparently and with privacy in mind.

Because the crontab can be used by end-users in a totally customizable way, it is possible that you could add entries which contain sensitive or suggestive information. For example, you could configure a cronjob which performed a timecard service check-in at a specified interval, in the morning and afternoon, everyday of the week while you were not at your device. Likewise, you could configure the crontab to reach out to a private IP or domain as part of a backup service.

When you use Kolide to list Crontab Entry data from end-user devices, Kolide gives the people using those devices insight into exactly what data is collected, the privacy implications, and who on the IT team can see the data. This all happens in our end-user privacy center which can be accessed by employees through Slack or Google Workspace account.

Share this story:

Related Device Properties:

New
Mac Launchd Entries
autoruns, daemons, software
New
Windows Programs
software
New
Windows Update Settings
updates, operating-system, security
View full list of Kolide's Device Properties
Try Kolide Free
Try Kolide Free