Ubuntu 24.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.

STIG ID: UBTU-24-900950  |  SRG: SRG-OS-000479-GPOS-00224 |  Severity: low |  CCI: CCI-001851 |  Vulnerability Id: V-270817

Vulnerability Discussion

Information stored in one location is vulnerable to accidental or incidental deletion or alteration.

Offloading is a common process in information systems with limited audit storage capacity.

Check

Note: If this is an interconnected system, this is not applicable.

Verify there is a script that offloads audit data and that script runs weekly with the following command:

$ ls /etc/cron.weekly
audit-offload

Check if the script inside the file offloads audit logs to external media.

If the script file does not exist or does not offload audit logs, this is a finding.

Fix

Create a script that offloads audit logs to external media and runs weekly.

The script must be located in the "/etc/cron.weekly" directory.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.