4.1.10 Ensure session initiation information is collected - wtmp

Information

Monitor session initiation events. The parameters in this section track changes to the files
associated with session events. The file /var/run/utmp tracks all currently logged in users.
All audit records will be tagged with the identifier "session." The /var/log/wtmp file tracks
logins, logouts, shutdown, and reboot events. The file /var/log/btmp keeps track of failed
login attempts and can be read by entering the command /usr/bin/last -f
/var/log/btmp . All audit records will be tagged with the identifier "logins."

Rationale:

Monitoring these files for changes could alert a system administrator to logins occurring at
unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when
they do not normally log in).

Solution

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins


Notes:

The last command can be used to read /var/log/wtmp (last with no parameters) and
/var/run/utmp (last -f /var/run/utmp)

Reloading the auditd config to set active settings may require a system reboot.

See Also

https://workbench.cisecurity.org/files/2420