Detections
Analytics

6.2.3.11 Ensure session initiation information is collected

Information

Monitor session initiation events. The parameters in this section track changes to the files associated with session events.

 - /var/run/utmp - tracks all currently logged in users.
 - /var/log/wtmp - file tracks logins, logouts, shutdown, and reboot events.
 - /var/log/btmp - keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp.

All audit records will be tagged with the identifier "session."

Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

Solution

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor session initiation information.

Example:

# printf "
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
" >> /etc/audit/rules.d/50-session.rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi

See Also

https://workbench.cisecurity.org/benchmarks/24330

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-3, 800-53|AU-3(1), 800-53|AU-7, 800-53|AU-12, CSCv7|4.9, CSCv7|16.13, Rule-ID|SV-238315r991581_rule, Rule-ID|SV-238316r991581_rule, Rule-ID|SV-238317r991581_rule, Rule-ID|SV-260641r991581_rule, Rule-ID|SV-260642r991581_rule, Rule-ID|SV-260643r991581_rule, STIG-ID|UBTU-20-010277, STIG-ID|UBTU-20-010278, STIG-ID|UBTU-20-010279, STIG-ID|UBTU-22-654195, STIG-ID|UBTU-22-654200, STIG-ID|UBTU-22-654205

Plugin: Unix

Control ID: 93ad2c913417a2fc99d020b7ec2ce451465a95600807fc5f5dee23f7e469c999