Title

Audit logs must be rotated daily. (Cat II impact)

Discussion

Rotate audit logs daily to preserve audit file system space and to conform to the DoD requirement. If it is not rotated daily and moved to another location, then there is more of a chance for the compromise of audit data by malicious users.

Check Content

Check for a crontab entry that rotates audit logs. # crontab -l If any cron job to rotate audit logs is found, this is not a finding. Otherwise, query the SA. If there is a process that automatically rotates audit logs, this is not a finding. If the SA manually rotates audit logs, this is still a finding, because if the SA is not there, it will not be accomplished. If the audit output is not archived daily, to tape or disk, this is a finding. This can be ascertained by looking at the audit log directory and, if more than one file is there, or if the file does not have today's date, this is a finding.

Fix Text

Configure a cron job or other automated process to rotate the audit logs on a daily basis.

Additional Identifiers

Rule ID: SV-38427r1_rule

Vulnerability ID: V-4357

Group Title: GEN002860

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.