← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282748

CAT II (Medium)

TOSS 5 must use cron logging.

Rule ID

SV-282748r1201388_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000366

Discussion

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

Check Content

Verify "rsyslog" is configured to log cron events using the following command:

Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.

$ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf

/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none                          /var/log/messages
/etc/rsyslog.conf:cron.*                                                           /var/log/cron             

If the command does not return a response, check for cron logging all facilities using the following command:

$ sudo grep -s /var/log/messages /etc/rsyslog.conf /etc/rsyslog.d/*.conf

/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none                          /var/log/messages

If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

Fix Text

Configure "rsyslog" to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the /etc/rsyslog.d/ directory:

cron.* /var/log/cron

Restart the rsyslog daemon for the changes to take effect.

$ sudo systemctl restart rsyslog.service