{"description": "The audit system already collects process information for all\nusers and root.\n\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w /var/run/utmp -p wa -k session</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w /var/run/utmp -p wa -k session</pre>", "rationale": "Manual editing of these files may indicate nefarious activity, such\nas an attacker attempting to remove evidence of an intrusion.", "severity": "medium", "references": {"hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "nist": ["AU-12(c)", "AU-12.1(iv)"], "srg": ["SRG-OS-000472-GPOS-00217"], "anssi": ["R73"], "ism": ["0582", "0846"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"], "stigid": ["UBTU-22-654205"], "stigref": ["SV-260643r991581_rule"]}, "control_references": {"anssi": ["R73"], "ism": ["0582", "0846"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"], "stigid": ["UBTU-22-654205"]}, "components": [], "identifiers": {}, "ocil_clause": "Audit rule is not present", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/var/run/utmp\" with the following command:\n\n$ sudo auditctl -l | grep /var/run/utmp\n\n-w /var/run/utmp -p wa -k session", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["package[audit]", "system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to Alter Process and Session Initiation Information utmp", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/var/run/utmp", "key": "session"}, "backends": {}}}