Detections
Analytics
4.1.9 Ensure session initiation information is collected - btmp
Information
Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).Solution
Add the following lines to the /etc/audit/audit.rules file:-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
Item Details
Audit Name: Huawei EulerOS 2 Workstation L2 v1.0
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12, CSCv6|5.5, CSCv6|16.4, CSCv6|16.10
Plugin: Unix
Control ID: 66506dfc87fd0fa8a77e5ca624e50add376fc74fa443e3ad865e084360a73f50