{"description": "The audit system already collects login information for all users\nand root. If the <tt>auditd</tt> daemon is configured to use the\n<tt>augenrules</tt> program to read audit rules during daemon startup (the\ndefault), add the following lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual\nedits of files involved in storing logon events:\n\n<pre>-w /var/log/tallylog -p wa -k logins\n-w <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /> -p wa -k logins\n-w /var/log/lastlog -p wa -k logins</pre>\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual\nedits of files involved in storing logon events:\n\n<pre>-w /var/log/tallylog -p wa -k logins\n-w <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /> -p wa -k logins\n-w /var/log/lastlog -p wa -k logins</pre>", "warnings": [], "requires": [], "conflicts": [], "values": {}, "groups": {}, "rules": ["audit_rules_login_events", "audit_rules_login_events_faillock", "audit_rules_login_events_faillog", "audit_rules_login_events_lastlog", "audit_rules_login_events_tallylog"], "platform": "", "platforms": [], "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "title": "Record Attempts to Alter Logon and Logout Events", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/group.yml"}