4.1.3.11 Ensure session initiation information is collected

Information

Monitor session initiation events. The parameters in this section track changes to the files associated with session events.

/var/run/utmp - tracks all currently logged in users.

/var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events.

/var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp.

All audit records will be tagged with the identifier 'session.'

Rationale:

Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

Solution

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information.
Example:

# printf '
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
' >> /etc/audit/rules.d/50-session.rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules
'; fi

Additional Information:

Potential reboot required

If the auditing configuration is locked (-e 2), then augenrules will not warn in any way that rules could not be loaded into the running configuration. A system reboot will be required to load the rules into the running configuration.

System call structure

For performance (man 7 audit.rules) reasons it is preferable to have all the system calls on one line. However, your configuration may have them on one line each or some other combination. This is important to understand for both the auditing and remediation sections as the examples given are optimized for performance as per the man page.

NIST SP 800-53 Rev. 5:

AU-3

AU-3(1)

See Also

https://workbench.cisecurity.org/files/4115