Check: PHTN-67-000059
VMware vSphere 6.7 Photon OS STIG:
PHTN-67-000059
(in versions v1 r6 through v1 r1)
Title
The Photon operating system must configure a cron job to rotate auditd logs daily. (Cat II impact)
Discussion
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.
Check Content
At the command line, execute the following command: # cat /etc/cron.daily/audit-rotate Expected result: #!/bin/bash service auditd rotate If the output of the command does not match the expected result, this is a finding.
Fix Text
If /etc/cron.daily/audit-rotate does not exist, run the following commands: # touch /etc/cron.daily/audit-rotate # chown root:root /etc/cron.daily/audit-rotate # chmod 0700 /etc/cron.daily/audit-rotate Open /etc/cron.daily/audit-rotate with a text editor. Set its contents as follows: #!/bin/bash service auditd rotate
Additional Identifiers
Rule ID: SV-239130r877391_rule
Vulnerability ID: V-239130
Group Title: SRG-OS-000341-GPOS-00132
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-001849 |
The organization allocates audit record storage capacity in accordance with organization-defined audit record storage requirements. |
Controls
Number | Title |
---|---|
AU-4 |
Audit Storage Capacity |