5.3.10 Collect Session Initiation Information - /var/log/wtmp

Information

Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file /var/run/utmp file tracks all currently logged in users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit records will be tagged with the identifier 'session.'

Rationale:

Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

Solution

Add the following lines to the /etc/audit/audit.rules file.

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

Note: Use the last command to read /var/log/wtmp (last with no parameters) and /var/run/utmp (last -f /var/run/utmp)

Default Value:

OS Default: N/A

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2(12), 800-53|AU-3, CSCv7|4.9, CSCv7|16.13

Plugin: Unix

Control ID: 9451e8bc87dc140bf8b51ba2dfbb9e2f842a7d0292fd0f0f0da64d08067bb17b