Skip to content

Record Attempts to Alter Logon and Logout Events

An XCCDF Rule

Description

The audit system already collects login information for all users and root. If the auditd daemon is configured to use the augenrules program to read audit rules during daemon startup (the default), add the following lines to a file with suffix .rules in the directory /etc/audit/rules.d in order to watch for attempted manual edits of files involved in storing logon events:

-w /var/log/tallylog -p wa -k logins
-w  -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd daemon is configured to use the auditctl utility to read audit rules during daemon startup, add the following lines to /etc/audit/audit.rules file in order to watch for unattempted manual edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w  -p wa -k logins
-w /var/log/lastlog -p wa -k logins

warning alert: Warning

This rule checks for multiple syscalls related to login events; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example:
  • audit_rules_login_events_tallylog
  • audit_rules_login_events_faillock
  • audit_rules_login_events_lastlog

Rationale

Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.

ID
xccdf_org.ssgproject.content_rule_audit_rules_login_events
Severity
Medium
References
Updated