{"description": "Cron logging must be implemented to spot intrusions or trace\ncron job status. If cron is not logging to rsyslog, it\ncan be implemented by adding the following to the RULES section of\n/etc/rsyslog.conf:\nIf the legacy syntax is used:\ncron.* /var/log/cron
\nIf the modern syntax (RainerScript) is used:\ncron.* action(type=\"omfile\" file=\"/var/log/cron\")
", "rationale": "Cron logging can be used to trace the successful or unsuccessful execution\nof cron jobs. It can also be used to spot intrusions into the use of the cron\nfacility by unauthorized and malicious users.", "severity": "medium", "references": {"cis-csc": ["1", "14", "15", "16", "3", "5", "6"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "BAI03.05", "DSS05.04", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "isa-62443-2009": ["4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.4.4.7", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 2.10", "SR 2.11", "SR 2.12", "SR 2.8", "SR 2.9", "SR 6.1"], "iso27001-2013": ["A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.15.2.1", "A.15.2.2"], "nist": ["CM-6(a)"], "nist-csf": ["ID.SC-4", "PR.PT-1"], "srg": ["SRG-OS-000480-GPOS-00227"], "ism": ["0988", "1405"]}, "control_references": {"ism": ["0988", "1405"]}, "components": [], "identifiers": {}, "ocil_clause": "cron is not logging to rsyslog", "ocil": "Verify that cron is logging to rsyslog,\nrun the following command:\ngrep -rni \"cron\\.\\*\" /etc/rsyslog.*
\ncron.* /var/log/cron
\nor\ncron.* action(type=\"omfile\" file=\"/var/log/cron\")
", "oval_external_content": null, "fixtext": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron\n\nThe rsyslog daemon must be restarted for the changes to take effect:\n$ sudo systemctl restart rsyslog.service", "checktext": "", "vuldiscussion": "", "srg_requirement": "Cron logging must be implemented in Ubuntu 22.04", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must use cron logging.", "vuldiscussion": "Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.", "checktext": "Verify that \"rsyslog\" is configured to log cron events with the following command:\n\nNote: If another logging package is used, substitute the utility configuration file for \"/etc/rsyslog.conf\" or \"/etc/rsyslog.d/*.conf\" files.\n\n$ grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf\n\n/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages\n/etc/rsyslog.conf:cron.* /var/log/cron\n\nIf the command does not return a response, check for cron logging all facilities with the following command:\n\n$ logger -p local0.info \"Test message for all facilities.\"\n\nCheck the logs for the test message with:\n\n$ sudo tail /var/log/messages\n\nIf \"rsyslog\" is not logging messages for the cron facility or all facilities, this is a finding.", "fixtext": "Configure \"rsyslog\" to log all cron messages by adding or updating the following line to \"/etc/rsyslog.conf\" or a configuration file in the /etc/rsyslog.d/ directory:\n\ncron.* /var/log/cron\n\nThe rsyslog daemon must be restarted for the changes to take effect:\n\n$ sudo systemctl restart rsyslog.service"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[rsyslog]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_rsyslog", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Ensure cron Is Logging To Rsyslog", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/logging/ensure_rsyslog_log_file_configuration/rsyslog_cron_logging/rule.yml", "template": null}