Prevent Cron and At Job Persistence
Stop attackers from gaining macOS persistence through cron and at jobs. Workshop file access rules block writes to crontab and at job directories.
Idea
Launch Agents and Launch Daemons get all the attention when it comes to macOS persistence. But lurking in the background are two older Unix job schedulers that still work just fine on macOS: cron and at, which are still used today. Security teams focused on monitoring /Library/LaunchAgents might miss a quiet crontab entry in /private/var/at/ or /usr/lib/cron/. Luckily, Workshop and Santa's file access rules can lock these down at the filesystem level. No writes to the crontab directory means no cron persistence. Simple!
Solutions
- Path Prefixes
- •
- •
- Options
- Allow Read Access:Audit Only:Rule Type:
- Custom Message
Mitre Attack
Tags
Deployment Notes
This blocks writes to the entire /private/var/at/ and /usr/lib/cron directory trees, covering both cron tabs, at jobs, and related files like at.allow and at.deny.
However, some legitimate software does use cron, like Homebrew updates and cleanup, third-party backup software, and developer automation scripts. Audit your environment before deploying deny rules. If specific tools need cron access, add them as exceptions in the "Processes" array with their signing ID and team ID.
False Positive Guidance
Legitimate tools that may use cron:
- Homebrew automatic updates
- Backup software
- Developer automation scripts
- System monitoring tools
Audit your environment and add exceptions as needed.