Title

The audit system must be configured to audit login, logout, and session initiation. (Cat II impact)

Discussion

If the system is not configured to audit certain activities and write them to an audit log, it is more difficult to detect and track system compromises and damages incurred during a system compromise.

Check Content

The message types that are always recorded to /var/log/audit/audit.log include LOGIN,USER_LOGIN,USER_START,USER_END among others and do not need to be added to audit_rules. The log files /var/log/faillog and /var/log/lastlog must be protected from tampering of the login records. Procedure: # egrep "faillog|lastlog" /etc/audit/audit.rules|grep -e "-p (wa|aw)" If both /var/log/faillog and /var/log/lastlog entries do not exist, this is a finding.

Fix Text

Ensure logins Procedure: Modify /etc/audit/audit.rules to contain: -w /var/log/faillog -p wa -w /var/log/lastlog -p wa Restart the auditd service. # rcauditd restart OR # service auditd restart

Additional Identifiers

Rule ID: SV-45340r1_rule

Vulnerability ID: V-818

Group Title: GEN002800

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.