4.1.4 Ensure login and logout events are collected - lastlog


Monitor scope changes for system administrators. If the system has been properly configured to force system administrators to log in as themselves first and then use the sudo command to execute privileged commands, it is possible to monitor changes in scope. The file /etc/sudoers will be written to when the file or its attributes have changed. The audit records will be tagged with the identifier "scope." Changes in the /etc/sudoers file can indicate that an unauthorized change has been made to scope of system administrator activity.


Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules Example: vi /etc/audit/rules.d/audit.rules and add the following lines: -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins Reloading the auditd config to set active settings may require a system reboot.

See Also


Item Details


References: 800-53|AU-3, CSCv7|4.9

Plugin: Unix

Control ID: 839bbe479fe92f3e79474f5abeef41086403c5b26495c024282f2184fc16af33