STIGQter: STIG Summary: Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide Version: 1 Release: 1 Benchmark Date: 10 Mar 2021:

The Ubuntu operating system must have a crontab script running weekly to offload audit events of standalone systems.

DISA Rule

SV-238321r654138_rule

Vulnerability Number

V-238321

Group Title

SRG-OS-000479-GPOS-00224

Rule Version

UBTU-20-010300

Severity

CAT III

CCI(s)

• CCI-001851 - The information system off-loads audit records per organization-defined frequency onto a different system or media than the system being audited.

Weight

10

Fix Recommendation

Create a script that offloads audit logs to external media and runs weekly.

The script must be located in the "/etc/cron.weekly" directory.

Check Contents

Note: If this is an interconnected system, this is Not Applicable.

Verify there is a script that offloads audit data and that script runs weekly.

Check if there is a script in the "/etc/cron.weekly" directory that offloads audit data:

# sudo ls /etc/cron.weekly

audit-offload

Check if the script inside the file does offloading of audit logs to external media.

If the script file does not exist or does not offload audit logs, this is a finding.

Vulnerability Number

V-238321

Documentable

False

Rule Version

UBTU-20-010300

Severity Override Guidance

Note: If this is an interconnected system, this is Not Applicable.

Verify there is a script that offloads audit data and that script runs weekly.

Check if there is a script in the "/etc/cron.weekly" directory that offloads audit data:

# sudo ls /etc/cron.weekly

audit-offload

Check if the script inside the file does offloading of audit logs to external media.

If the script file does not exist or does not offload audit logs, this is a finding.

Check Content Reference

M

Target Key

5318

Comments