Ensure cron Is Logging To Rsyslog

An XCCDF Rule

Description

Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf: If the legacy syntax is used:

cron.*                                                  /var/log/cron

If the modern syntax (RainerScript) is used:

cron.* action(type="omfile" file="/var/log/cron")

Rationale

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

ID: xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
Severity: Medium
References: 1 14 15 16 3 5 6

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

CCI-000366

4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1

0988 1405

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.15.2.1 A.15.2.2

CM-6(a)

ID.SC-4 PR.PT-1

SRG-OS-000480-GPOS-00227
Updated: 5 days ago

- name: Gather the package facts
  package_facts:
    manager: auto
  tags:
  - NIST-800-53-CM-6(a)
  - configure_strategy  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_cron_logging

- name: Ensure cron Is Logging To Rsyslog - Search if cron configuration exists
  ansible.builtin.command: grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf
    /etc/rsyslog.d/*.conf
  register: cron_log_config_exists
  failed_when: false
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_cron_logging

- name: Ensure cron Is Logging To Rsyslog - Ensure the /etc/rsyslog.d directory exists
  ansible.builtin.file:
    path: /etc/rsyslog.d
    state: directory
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_cron_logging

- name: Ensure cron Is Logging To Rsyslog - Add cron log configuration line
  ansible.builtin.lineinfile:
    path: /etc/rsyslog.d/cron.conf
    line: cron.*  /var/log/cron
    create: true
  when:
  - '"kernel" in ansible_facts.packages'
  - cron_log_config_exists.stdout_lines | length == 0
  tags:
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_cron_logging

- name: Ensure cron Is Logging To Rsyslog - Restart the rsyslog service now
  ansible.builtin.service:
    name: rsyslog
    state: restarted
  when: '"kernel" in ansible_facts.packages'
  tags:
  - NIST-800-53-CM-6(a)
  - configure_strategy
  - low_complexity
  - low_disruption
  - medium_severity
  - no_reboot_needed
  - rsyslog_cron_logging

# Remediation is applicable only in certain platforms
if rpm --quiet -q kernel; then

if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
	mkdir -p /etc/rsyslog.d
	echo "cron.*	/var/log/cron" >> /etc/rsyslog.d/cron.conffi

if [[ "$OSCAP_BOOTC_BUILD" != "YES" ]] ; then
    systemctl restart rsyslog.service
fi

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure cron Is Logging To Rsyslog

Description

Rationale

Remediation - Ansible

Remediation - Shell Script