Profile Applicability:
 • Level 2

Description:
 Logging login and logout events is essential to monitor user access, track session activity, and detect unauthorized access attempts. Collecting these events provides accountability and supports forensic investigations.

Rationale:
 Auditing login/logout events enhances security monitoring by capturing critical user session activities and enabling timely detection of suspicious behavior.

Impact:
 Pros:

  • Provides detailed records of user access for auditing and compliance.

  • Supports incident response and security investigations.

Cons:

  • May generate a large volume of logs requiring proper log management.

Default Value:
 Audit rules for login/logout events may not be enabled by default.

Pre-requisites:

  • Root or sudo privileges to configure audit rules.

Remediation:

Test Plan:

Using Linux command line:

Check existing audit rules for login/logout events:

auditctl -l | grep -E 'login|logout|session'

  1. Verify audit rules exist for files such as /var/log/faillog/var/log/lastlog/var/log/wtmp, and /var/run/utmp.

Implementation Plan:

Using Linux command line:

Add audit rules to monitor login and logout events:

auditctl -w /var/run/utmp -p wa -k session  
auditctl -w /var/log/wtmp -p wa -k session  
auditctl -w /var/log/faillog -p wa -k session  
auditctl -w /var/log/lastlog -p wa -k session

  1. Persist these rules in /etc/audit/rules.d/audit.rules.

Backout Plan:

Using Linux command line:

Remove or disable login/logout audit rules if necessary:

auditctl -W /var/run/utmp -p wa -k session  
auditctl -W /var/log/wtmp -p wa -k session  
auditctl -W /var/log/faillog -p wa -k session  
auditctl -W /var/log/lastlog -p wa -k session

  1. Reload audit daemon configuration.

References: