Check: TOSS-04-040590
Tri-Lab Operating System Stack (TOSS) 4 STIG:
TOSS-04-040590
(in versions v2 r1 through v1 r1)
Title
Cron logging must be implemented in TOSS. (Cat II impact)
Discussion
Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.
Check Content
Verify that "rsyslog" is configured to log cron events with the following command: Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files. $ sudo grep -r cron /etc/rsyslog.conf /etc/rsyslog.d /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages /etc/rsyslog.conf:# Log cron stuff /etc/rsyslog.conf:cron.* /var/log/cron If the command does not return a response, check for cron logging all facilities with the following command. $ sudo grep -r /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d /etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.
Fix Text
Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory: cron.* /var/log/cron The rsyslog daemon must be restarted for the changes to take effect: $ sudo systemctl restart rsyslog.service
Additional Identifiers
Rule ID: SV-253101r991589_rule
Vulnerability ID: V-253101
Group Title: SRG-OS-000480-GPOS-00227
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000366 |
Implement the security configuration settings. |
Controls
Number | Title |
---|---|
CM-6 |
Configuration Settings |