RHEL 10 must use cron logging.

STIG ID: RHEL-10-200648  |  SRG: SRG-OS-000040-GPOS-00018 |  Severity: medium (CAT II)  |  CCI: CCI-000133 |  Vulnerability Id: V-280991

Vulnerability Discussion

Cron logging can be used to trace the successful or unsuccessful execution of cron jobs. It can also be used to spot intrusions into the use of the cron facility by unauthorized and malicious users.

Check

Verify RHEL 10 rsyslog is configured to log cron events with the following command:

Note: If another logging package is used, substitute the utility configuration file for "/etc/rsyslog.conf" or "/etc/rsyslog.d/*.conf" files.

$ sudo grep -s cron /etc/rsyslog.conf /etc/rsyslog.d/*.conf
/etc/rsyslog.conf:*.info;mail.none;authpriv.none;cron.none /var/log/messages
/etc/rsyslog.conf:cron.* /var/log/cron

If the command does not return a response, check for cron logging all facilities with the following command:

$ logger -p local0.info "Test message for all facilities."

Check the logs for the test message with the following:

$ sudo tail /var/log/messages

If "rsyslog" is not logging messages for the cron facility or all facilities, this is a finding.

Fix

Configure RHEL 10 rsyslog to log all cron messages by adding or updating the following line to "/etc/rsyslog.conf" or a configuration file in the "/etc/rsyslog.d/" directory:

cron.* /var/log/cron

Restart the rsyslog daemon with the following command for the changes to take effect:

$ sudo systemctl restart rsyslog.service
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.