Record Attempts to Alter Process and Session Initiation Information
An XCCDF Rule
Description
The audit system already collects process information for all
users and root. If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules
in the
directory /etc/audit/rules.d
in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k sessionIf the
auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules
file in order to watch for attempted manual
edits of files involved in storing such process information:
-w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session
Rationale
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
- ID
- xccdf_org.ssgproject.content_rule_audit_rules_session_events
- Severity
- Medium
- References
- Updated
Remediation - Kubernetes Patch
---
apiVersion: machineconfiguration.openshift.io/v1
kind: MachineConfig
spec: