Ensure cron Is Logging To Rsyslog

An XCCDF Rule

Description

Cron logging must be implemented to spot intrusions or trace cron job status. If cron is not logging to rsyslog, it can be implemented by adding the following to the RULES section of /etc/rsyslog.conf:

cron.*                                                  /var/log/cron

Rationale

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

ID: xccdf_org.ssgproject.content_rule_rsyslog_cron_logging
Severity: Medium
References: 1 14 15 16 3 5 6

APO10.01 APO10.03 APO10.04 APO10.05 APO11.04 BAI03.05 DSS05.04 DSS05.07 MEA01.01 MEA01.02 MEA01.03 MEA01.04 MEA01.05 MEA02.01

CCI-000366

4.3.2.6.7 4.3.3.3.9 4.3.3.5.8 4.3.4.4.7 4.4.2.1 4.4.2.2 4.4.2.4

SR 2.10 SR 2.11 SR 2.12 SR 2.8 SR 2.9 SR 6.1

0988 1405

A.12.4.1 A.12.4.2 A.12.4.3 A.12.4.4 A.12.7.1 A.15.2.1 A.15.2.2

CM-6(a)

ID.SC-4 PR.PT-1

FAU_GEN.1.1.c

SRG-OS-000480-GPOS-00227

RHEL-07-021100

SV-204489r744109_rule

CCE-80380-9
Updated: about 1 year ago

# Remediation is applicable only in certain platforms
if [ ! -f /.dockerenv ] && [ ! -f /run/.containerenv ]; then

if ! grep -s "^\s*cron\.\*\s*/var/log/cron$" /etc/rsyslog.conf /etc/rsyslog.d/*.conf; then
	mkdir -p /etc/rsyslog.d
	echo "cron.*	/var/log/cron" >> /etc/rsyslog.d/cron.conffi

systemctl restart rsyslog.service

else
    >&2 echo 'Remediation is not applicable, nothing was done'
fi

Ensure cron Is Logging To Rsyslog

Description

Rationale

Remediation - Shell Script