documentation_complete: true

title: 'Record Attempts to Alter Logon and Logout Events'

description: |-
    The audit system already collects login information for all users
    and root. If the <tt>auditd</tt> daemon is configured to use the
    <tt>augenrules</tt> program to read audit rules during daemon startup (the
    default), add the following lines to a file with suffix <tt>.rules</tt> in the
    directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
    edits of files involved in storing logon events:
{{% if audit_watches_style == "modern" %}}
    <pre>-a always,exit -F arch=b32 -F path=/var/log/tallylog -F perm=wa -F key=logins
    -a always,exit -F arch=b64 -F path=/var/log/tallylog -F perm=wa -F key=logins
    -a always,exit -F arch=b32 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
    -a always,exit -F arch=b64 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
    -a always,exit -F arch=b32 -F path=/var/log/lastlog -F perm=wa -F key=logins
    -a always,exit -F arch=b64 -F path=/var/log/lastlog -F perm=wa -F key=logins</pre>
{{% else %}}
    <pre>-w /var/log/tallylog -p wa -k logins
    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
    -w /var/log/lastlog -p wa -k logins</pre>
{{% endif %}}

    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
    utility to read audit rules during daemon startup, add the following lines to
    <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
    edits of files involved in storing logon events:
{{% if audit_watches_style == "modern" %}}
    <pre>-a always,exit -F arch=b32 -F path=/var/log/tallylog -F perm=wa -F key=logins
    -a always,exit -F arch=b64 -F path=/var/log/tallylog -F perm=wa -F key=logins
    -a always,exit -F arch=b32 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
    -a always,exit -F arch=b64 -F path={{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -F perm=wa -F key=logins
    -a always,exit -F arch=b32 -F path=/var/log/lastlog -F perm=wa -F key=logins
    -a always,exit -F arch=b64 -F path=/var/log/lastlog -F perm=wa -F key=logins</pre>
{{% else %}}
    <pre>-w /var/log/tallylog -p wa -k logins
    -w {{{ xccdf_value("var_accounts_passwords_pam_faillock_dir") }}} -p wa -k logins
    -w /var/log/lastlog -p wa -k logins</pre>
{{% endif %}}