← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit privileged execution of /usr/bin/crontab (Ubuntu)

audit-priv-crontab · UBUNTU ≥ 22 · 1 impl

Description

All uses of the /usr/bin/crontab command must generate an audit record so that cron-job changes can be traced to an individual.

Rationale

Auditing execution of privileged commands allows detection of misuse and supports forensic investigation of privilege escalation.

Check → Remediate

Checkaudit_rule_exists
rule:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
Remediateaudit_rule_set
rule:
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=unset -k privileged-crontab
persist_file:
/etc/audit/rules.d/50-priv-crontab.rules

Framework references

STIG

V-270803 / UBTU-24-900320V-260610 / UBTU-22-654040

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#privileged