8.1.9 Collect Session Initiation Information- '/var/log/btmp'

Information

Monitor session initiation events. The parameters in this section track changes to the files
associated with session events. The file /var/run/utmp file tracks all currently logged in
users. The /var/log/wtmp file tracks logins, logouts, shutdown and reboot events. All audit
records will be tagged with the identifier 'session.' The file /var/log/btmp keeps track of
failed login attempts and can be read by entering the command /usr/bin/last -f
/var/log/btmp. All audit records will be tagged with the identifier 'logins.'

*Rationale*

Monitoring these files for changes could alert a system administrator to logins occurring at
unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when
they do not normally log in).

Solution

Add the following lines to the /etc/audit/audit.rules file.-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
# Execute the following command to restart auditd
# pkill -HUP -P 1 auditdNote- Use the last command to read /var/log/wtmp (last with no parameters) and
/var/run/utmp (last -f /var/run/utmp)

See Also

https://workbench.cisecurity.org/files/91

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c.

Plugin: Unix

Control ID: c4a309bad4702a181423ca67951fde422b19945ae80854b9fd5555b02611b136