-
Notifications
You must be signed in to change notification settings - Fork 671
/
rule.yml
54 lines (44 loc) · 2.05 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
documentation_complete: true
title: 'Record Attempts to Alter Logon and Logout Events - faillog'
description: |-
The audit system already collects login information for all users
and root. If the <tt>auditd</tt> daemon is configured to use the
<tt>augenrules</tt> program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix <tt>.rules</tt> in the
directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/faillog -p wa -k logins</pre>
If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
utility to read audit rules during daemon startup, add the following lines to
<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
edits of files involved in storing logon events:
<pre>-w /var/log/faillog -p wa -k logins</pre>
rationale: |-
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
severity: medium
identifiers:
cce@sle12: CCE-83192-5
cce@sle15: CCE-92576-8
references:
cis@sle12: 4.1.7
cis@sle15: 4.1.7
cis@ubuntu2004: 4.1.7
disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a)
srg: SRG-OS-000037-GPOS-00015
stigid@sle12: SLES-12-020760
stigid@ubuntu2004: UBTU-20-010170
stigid@ubuntu2204: UBTU-22-654210
ocil_clause: 'there is no output'
ocil: |-
To verify that auditing is configured for system administrator actions, run the following command:
Configure the operating system to generate an audit record for any all modifications to the "faillog" file occur.
Add or update the following rules in the "/etc/audit/audit.rules" file:
-w /var/log/faillog -p wa -k logins
The audit daemon must be restarted for the changes to take effect.
# sudo systemctl restart auditd.service
template:
name: audit_rules_login_events
vars:
path: /var/log/faillog