4.1.5 Ensure session initiation information is collected - auditctl wtmp

Information

Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp tracks all currently logged in users. All audit records will be tagged with the identifier 'session.' The /var/log/wtmp file tracks logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp . All audit records will be tagged with the identifier 'logins.' Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

Solution

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules

Example:
vi /etc/audit/rules.d/logins.rules and add the following lines:

-w /var/run/utmp -p wa -k session
-w/var/log/wtmp -p wa -k logins
-w/var/log/btmp -p wa -k logins

See Also

https://workbench.cisecurity.org/files/2521

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv7|4.9, CSCv7|16.13

Plugin: Unix

Control ID: d46f641c60403e46f9c80dddc5d5b8fb9a10f02e67f7e26b96eb1a30f3376f22