{"description": "The audit system already collects login information for all users\nand root.\n\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /var/log/tallylog -p wa -k logins</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /var/log/tallylog -p wa -k logins</pre>", "rationale": "Manual editing of these files may indicate nefarious activity, such\nas an attacker attempting to remove evidence of an intrusion.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.3"], "srg": ["SRG-OS-000392-GPOS-00172", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218", "SRG-APP-000503-CTR-001275"], "ism": ["0582"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"]}, "control_references": {"ism": ["0582"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/var/log/tallylog\" with the following command:\n\n$ sudo auditctl -l | grep /var/log/tallylog\n\n-w /var/log/tallylog -p wa -k logins", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that <tt>\"/var/log/tallylog\"</tt>.\n\nAdd or update the following file system rule to <tt>\"/etc/audit/rules.d/audit.rules\"</tt>:\n\n-w /var/log/tallylog -p wa -k logins\n\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/tallylog.", "vuldiscussion": "Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", "checktext": "Verify Ubuntu 22.04 generates audit records for all account creations, modifications, disabling, and termination events that affect \"/var/log/tallylog\" with the following command:\n\n$ sudo auditctl -l | grep /var/log/tallylog\n\n\n-w /var/log/tallylog -p wa -k logins\n\n\nIf the command does not return a line, or the line is commented out, is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/var/log/tallylog\".\n\nAdd or update the following file system rule to \"/etc/audit/rules.d/audit.rules\":\n\n-w /var/log/tallylog -p wa -k logins\n\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to Alter Logon and Logout Events - tallylog", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/var/log/tallylog", "key": "logins"}, "backends": {}}}