Check: UBTU-24-900950
Canonical Ubuntu 24.04 LTS STIG:
UBTU-24-900950
(in version v1 r1)
Title
Ubuntu 24.04 LTS must have a crontab script running weekly to offload audit events of standalone systems. (Cat III impact)
Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity.
Check Content
Note: If this is an interconnected system, this is not applicable. Verify there is a script that offloads audit data and that script runs weekly with the following command: $ ls /etc/cron.weekly audit-offload Check if the script inside the file offloads audit logs to external media. If the script file does not exist or does not offload audit logs, this is a finding.
Fix Text
Create a script that offloads audit logs to external media and runs weekly. The script must be located in the "/etc/cron.weekly" directory.
Additional Identifiers
Rule ID: SV-270817r1066940_rule
Vulnerability ID: V-270817
Group Title: SRG-OS-000479-GPOS-00224
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-001851 |
Transfer audit logs per organization-defined frequency to a different system, system component, or media than the system or system component conducting the logging. |
Controls
| Number | Title |
|---|---|
| AU-4(1) |
Transfer to Alternate Storage |