mediumauditverified ✓✓rollback-safe
Audit access to /var/log/wtmp (Ubuntu)
audit-watch-wtmp · UBUNTU ≥ 22 · 1 impl
Description
Modifications to /var/log/wtmp must generate an audit record so that login/logout events can be traced to an individual.
Rationale
Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /var/log/wtmp -p wa -k logins
Remediateaudit_rule_set
- rule:
- -w /var/log/wtmp -p wa -k logins
- persist_file:
- /etc/audit/rules.d/50-watch-wtmp.rules
Framework references
STIG
V-270810 / UBTU-24-900590V-260642 / UBTU-22-654200
NIST 800-53
AU-2AU-12
Live verification
ubuntu22:checkubuntu24:checkubuntu24:full
#audit#auditd#watch