Ensure cron Is Logging To Rsyslog

An XCCDF Rule

Description

Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:

cron.*                                                  /var/log/cron

Rationale

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

ID: xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
Severity: Medium
References: 1 14 15 16 3 5 6

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

CCI-000366

4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1

0988 1405

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.15.2.1 A.15.2.2

CM-6(a)

ID.SC-4 PR.PT-1

FAU_GEN.1.1.c

SRG-OS-000480-GPOS-00227

OL08-00-030010

SV-248723r779735_rule
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
	mkdir -p /etc/rsyslog.d
	echo "cron.*	/var/log/cron" >> /etc/rsyslog.d/cron.conffi

systemctl restart rsyslog.service

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure cron Is Logging To Rsyslog

Description

Rationale

Remediation - Shell Script