Vulnerability Discussion
Information stored in one location is vulnerable to accidental or incidental deletion or alteration.
Offloading is a common process in information systems with limited audit storage capacity.
Check
Verify there is a script that offloads audit data and that script runs weekly by using the following command:
Note: If the system is not connected to a network, this requirement is not applicable.
$ ls /etc/cron.weekly
<audit_offload_script_name>
Check if the script inside the file does offloading of audit logs to external media.
If the script file does not exist or does not offload audit logs, this is a finding.
Fix
Create a script that offloads audit logs to external media and runs weekly.
The script must be located in the "/etc/cron.weekly" directory.