Profile Applicability:
• Level 2
Description:
Session initiation events capture user logins, logouts, and terminal sessions. Collecting this information is vital for tracking user activity, detecting unauthorized access, and supporting forensic investigations.
Rationale:
Auditing session initiation helps monitor system access patterns and quickly identify suspicious or unauthorized login attempts.
Impact:
Pros:
Provides detailed logs of user sessions for accountability.
Supports incident response and compliance requirements.
Cons:
May increase audit log volume; requires log management.
Default Value:
Audit rules for session initiation may not be enabled by default.
Pre-requisites:
Root or sudo privileges to configure audit rules.
Remediation:
Test Plan:
Using Linux command line:
Check existing audit rules for session events:
auditctl -l | grep sessionVerify audit rules exist for pam_unix or session-related syscalls.
Implementation Plan:
Using Linux command line:
Add audit rules to capture session initiation:
auditctl -w /var/run/utmp -p wa -k session auditctl -w /var/log/wtmp -p wa -k session auditctl -w /var/log/btmp -p wa -k session
Persist rules by adding them to /etc/audit/rules.d/audit.rules.
Backout Plan:
Using Linux command line:
Remove or disable session audit rules if needed:
auditctl -W /var/run/utmp -p wa -k session auditctl -W /var/log/wtmp -p wa -k session auditctl -W /var/log/btmp -p wa -k session
Reload audit daemon configuration.
References:
CIS Amazon Linux 2 Benchmark v3.0.0