Title

Cron logging must be implemented. (Cat II impact)

Discussion

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

Check Content

Verify that "rsyslog" is configured to log cron events. Check the configuration of "/etc/rsyslog.d/50-default.conf" for the cron facility with the following commands: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.d/50-default.conf". # grep cron /etc/rsyslog.d/50-default.conf cron.* /var/log/cron.log If the commands do not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.d/50-default.con" file: # more /etc/rsyslog.conf Look for the following entry: *.* /var/log/messages If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

Fix Text

Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.d/50-default.conf": cron.* /var/log/cron.log Note: The line must be added before the following entry if it exists in "/etc/rsyslog.d/50-default.conf": *.* ~ # discards everything

Additional Identifiers

Rule ID: SV-90545r2_rule

Vulnerability ID: V-75865

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.