diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/ansible/shared.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/ansible/shared.yml
new file mode 100644
index 00000000000..245b84d6ce8
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_sle
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path='/run/utmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/run/utmp', permissions='wa', key='session') }}}
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/bash/shared.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/bash/shared.sh
new file mode 100644
index 00000000000..3bc4df70b9d
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_watch_rule "auditctl" "/run/utmp" "wa" "session"
+fix_audit_watch_rule "augenrules" "/run/utmp" "wa" "session"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml
new file mode 100644
index 00000000000..41220719b4f
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml
@@ -0,0 +1,48 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Record Attempts to Alter Process and Session Initiation Information utmp'
+
+description: |-
+    The audit system already collects process information for all
+    users and root. If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following lines to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+    edits of files involved in storing such process information:
+    <pre>-w /run/utmp -p wa -k session</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file in order to watch for attempted manual
+    edits of files involved in storing such process information:
+    <pre>-w /run/utmp -p wa -k session</pre>
+
+rationale: |-
+    Manual editing of these files may indicate nefarious activity, such
+    as an attacker attempting to remove evidence of an intrusion.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-85714-4
+
+references:
+    stigid@sle15: SLES-15-030760
+    srg: SRG-OS-000472-GPOS-00217
+    disa: CCI-000172
+    nist: AU-12(c),AU-12.1(iv)
+
+ocil_clause: 'Audit rule is not present'
+
+ocil: |-
+    To Check the file is being audited by performing the following command
+    <pre> sudo auditctl -l | grep -w '/run/utmp'</pre>
+
+template:
+    name: audit_rules_login_events
+    vars:
+        path: /run/utmp
+    backends:
+        ansible: "off"
+        bash: "off"
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_correct_utmp.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_correct_utmp.pass.sh
new file mode 100644
index 00000000000..0d838534451
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_correct_utmp.pass.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-w /run/utmp -p wa -k session" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_remove_all_rules_utmp.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_remove_all_rules_utmp.fail.sh
new file mode 100644
index 00000000000..a3228e2c880
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_remove_all_rules_utmp.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -f /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_wrong_rule_utmp.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_wrong_rule_utmp.fail.sh
new file mode 100644
index 00000000000..5cfbc73890e
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/auditctl_wrong_rule_utmp.fail.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-w /run/something -p wa -k session" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_correct_utmp.pass.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_correct_utmp.pass.sh
new file mode 100644
index 00000000000..3dd09e81ae4
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_correct_utmp.pass.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+
+mkdir -p /etc/audit/rules.d
+echo "-w /run/utmp -p wa -k session" >> /etc/audit/rules.d/login.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_remove_all_rules_utmp.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_remove_all_rules_utmp.fail.sh
new file mode 100644
index 00000000000..be84fea7bb1
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_remove_all_rules_utmp.fail.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+
+mkdir -p /etc/audit/rules.d
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
diff --git a/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_wrong_rule_utmp.fail.sh b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_wrong_rule_utmp.fail.sh
new file mode 100644
index 00000000000..ab2ee278d35
--- /dev/null
+++ b/linux_os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_utmp/tests/augenrules_wrong_rule_utmp.fail.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+
+mkdir -p /etc/audit/rules.d
+echo "-w /run/something -p wa -k session" >> /etc/audit/rules.d/login.rules
diff --git a/sle15/profiles/stig.profile b/sle15/profiles/stig.profile
index 8d3d7ef4923..a9b04bf43d1 100644
--- a/sle15/profiles/stig.profile
+++ b/sle15/profiles/stig.profile
@@ -119,6 +119,7 @@ selections:
     - audit_rules_privileged_commands_usermod
     - audit_rules_privileged_commands_sudoedit
     - audit_rules_privileged_commands_umount
+    - audit_rules_session_events_utmp
     - audit_rules_suid_privilege_function
     - audit_rules_sysadmin_actions
     - audit_rules_unsuccessful_file_modification_creat