UCF STIG Viewer Logo

The Photon operating system must configure a cron job to rotate auditd logs daily.


Overview

Finding ID Version Rule ID IA Controls Severity
V-239130 PHTN-67-000059 SV-239130r675198_rule Medium
Description
Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation cron job, setting a reasonable number of logs to keep and configuring auditd to not rotate the logs on its own. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.
STIG Date
VMware vSphere 6.7 Photon OS Security Technical Implementation Guide 2022-01-03

Details

Check Text ( C-42341r675196_chk )
At the command line, execute the following command:

# cat /etc/cron.daily/audit-rotate

Expected result:

#!/bin/bash
service auditd rotate

If the output of the command does not match the expected result, this is a finding.
Fix Text (F-42300r675197_fix)
If /etc/cron.daily/audit-rotate does not exist, run the following commands:

# touch /etc/cron.daily/audit-rotate
# chown root:root /etc/cron.daily/audit-rotate
# chmod 0700 /etc/cron.daily/audit-rotate

Open /etc/cron.daily/audit-rotate with a text editor.

Set its contents as follows:

#!/bin/bash
service auditd rotate