Title

The Red Hat Enterprise Linux operating system must have cron logging implemented. (Cat II impact)

Discussion

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

Check Content

Verify that "rsyslog" is configured to log cron events. Check the configuration of "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files for the cron facility with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. # grep cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf cron.* /var/log/cron If the command does not return a response, check for cron logging all facilities by inspecting the "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. Look for the following entry: *.* /var/log/messages If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

Fix Text

Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: cron.* /var/log/cron The rsyslog daemon must be restarted for the changes to take effect: $ sudo systemctl restart rsyslog.service

Additional Identifiers

Rule ID: SV-204489r744109_rule

Vulnerability ID: V-204489

Group Title: SRG-OS-000480-GPOS-00227

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.