mediumauditverified ✓rollback-safe
Ensure session initiation information is collected
audit-session · RHEL ≥ 8 · 1 impl
Description
Session initiation information must be collected.
Rationale
Without auditing these events, malicious activity could go undetected, compromising forensic capabilities.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -k session
Remediateaudit_rule_set
- rule:
- -w /var/run/utmp -p wa -k session
- persist_file:
- /etc/audit/rules.d/50-session.rules
Framework references
CIS
rhel8 6.3.3.11rhel9 6.3.3.11rhel10 6.3.3.22
NIST 800-53
AU-2AU-12AC-2
Live verification
rhel10:checkrhel8:checkrhel9:check
#audit#auditd