Ubuntu 22.04 LTS must have a crontab script running weekly to offload audit events of standalone systems.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260587 | UBTU-22-651035 | SV-260587r959008_rule | CCI-001851 | low |
| Description | ||||
| Information stored in one location is vulnerable to accidental or incidental deletion or alteration. Offloading is a common process in information systems with limited audit storage capacity. | ||||
| STIG | Date | |||
| Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide | 2025-05-16 | |||
Related Frameworks
2 paths across 2 frameworks
Related Frameworks
NIST 800-531 mapping
AU-4(1)
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
CCI1 mapping
CCI-001851
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-260587r959008_chk)
Verify there is a script that offloads audit data and that script runs weekly by using the following command:
Note: If the system is not connected to a network, this requirement is not applicable.
$ ls /etc/cron.weekly
<audit_offload_script_name>
Check if the script inside the file does offloading of audit logs to external media.
If the script file does not exist or does not offload audit logs, this is a finding.
Fix Text (F-64224r953573_fix)
Create a script that offloads audit logs to external media and runs weekly.
The script must be located in the "/etc/cron.weekly" directory.