Add description for 8.1.24

docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd

@@ -181,6 +181,33 @@ Configure the operating system to generate audit records when successful/unsucce
 
 The audit daemon must be restarted for the changes to take effect.
 
+## 8.1.24 Recored crontab command usage (scored) 
+
+### Profile Applicability
+Level 4
+
+### Description
+All uses of the crontab command must be audited.
+
+### Rationale
+Reconstruction of harmful events or forensic analysis is not possible if audit records do not contain enough information. At a minimum, the organization must audit the full-text recording of privileged commands. The organization must maintain audit trails in sufficient detail to reconstruct events to determine the cause and impact of compromise.
+
+### Aduit
+Verify the operating system generates audit records when successful/unsuccessful attempts to use the "crontab" command occur. Check for the following system call being audited by performing the following command to check the file system rules in "/etc/audit/audit.rules": 
+```
+# grep -i /usr/bin/crontab /etc/audit/audit.rules
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
+```
+If the command does not return any output, this is a finding.
+
+### Remediation
+Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "crontab" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+```
+-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged-cron
+```
+
+The audit daemon must be restarted for the changes to take effect.
+
 ## 8.5 Verifies integrity all packages (scored) 
 
 ### Profile Applicability