Check: GEN003160
SUSE Linux Enterprise Server v11 for System z STIG:
GEN003160
(in versions v1 r12 through v1 r9)
Title
Cron logging must be implemented. (Cat II impact)
Discussion
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
Check Content
By default, rsyslog includes configuration files found in the /etc/rsyslog.d directory. Check for the include directive” $IncludeConfig /etc/rsyslog.d/*.conf” in /etc/rsyslog.conf and then for the cron log configuration file. # grep rsyslog.d /etc/rsyslog.conf # grep cron /etc/rsyslog.d/*.conf OR # grep cron /etc/rsyslog.conf If cron logging is not configured, this is a finding. Check the configured cron log file found in the cron entry of /etc/syslog (normally /var/log/cron). # ls -lL /var/log/cron If this file does not exist, or is older than the last cron job, this is a finding.
Fix Text
Edit or create /etc/rsyslog.d/cron.conf and setup cron logging.
Additional Identifiers
Rule ID: SV-45615r1_rule
Vulnerability ID: V-982
Group Title: GEN003160
Expert Comments
CCIs
| Number | Definition |
|---|---|
| CCI-000126 |
The organization determines that the organization-defined subset of the auditable events defined in AU-2 are to be audited within the information system. |
Controls
| Number | Title |
|---|---|
| AU-2 |
Audit Events |