{"description": "The operating system must have a crontab script running weekly to\noffload audit events of standalone systems.", "rationale": "Information stored in one location is vulnerable to accidental or\nincidental deletion or alteration.\nOffloading is a common process in information systems with limited\naudit storage capacity.", "severity": "medium", "references": {"srg": ["SRG-OS-000479-GPOS-00224"], "stigid": ["UBTU-22-651035"], "stigref": ["SV-260587r959008_rule"]}, "control_references": {"stigid": ["UBTU-22-651035"]}, "components": [], "identifiers": {}, "ocil_clause": "Cron job has not been configured to offload audit logs to external media", "ocil": "Verify there is a script that offloads audit data and that script runs\nweekly.\nCheck if there is a script in the \"/etc/cron.weekly\" directory that\noffloads audit data:\n<pre># sudo ls /etc/cron.weekly\naudit-offload</pre>\nCheck if the script inside the file does offloading of audit logs to\nexternal media.\nIf the script file does not exist or does not offload audit logs, this\nis a finding.", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "Due to different needs and possibilities, automated remediation is not\navailable for this configuration check."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Offload audit Logs to External Media", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/configure_auditd_data_retention/auditd_offload_logs/rule.yml", "template": null}