4.1.9 Ensure session initiation information is collected - btmp - auditctl

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

See Also

https://workbench.cisecurity.org/files/1857

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|5.5, CSCv6|16.4, CSCv6|16.10

Plugin: Unix

Control ID: d17b942e944a9fac245a41f29b423e0394f2b0fc39e554e231c5047ac545b739