CCE-92104-9| Platform: Amazon Linux | Date: (C)2018-10-29 (M)2022-10-10 |
Record Attempts to Alter Logon and Logout Events
The audit system already collects login info for all users and root. To watch for attempted manual edits of
files involved in storing logon events, add the following to '/etc/audit/audit.rules':
'-w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins'
Parameter:
Technical Mechanism:
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
Fix:
No Remediation Info
| CCSS Severity: | CCSS Metrics: |
| CCSS Score : | Attack Vector: |
| Exploit Score: | Attack Complexity: |
| Impact Score: | Privileges Required: |
| Severity: | User Interaction: |
| Vector: | Scope: |
| | Confidentiality: |
| | Integrity: |
| | Availability: |
| | |
References: | Resource Id | Reference |
|---|
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:48291 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:48808 |
| SCAP Repo OVAL Definition | oval:org.secpod.oval:def:48291 |
