← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit access to /var/log/wtmp (Ubuntu)

audit-watch-wtmp · UBUNTU ≥ 22 · 1 impl

Description

Modifications to /var/log/wtmp must generate an audit record so that login/logout events can be traced to an individual.

Rationale

Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/wtmp -p wa -k logins
Remediateaudit_rule_set
rule:
-w /var/log/wtmp -p wa -k logins
persist_file:
/etc/audit/rules.d/50-watch-wtmp.rules

Framework references

STIG

V-270810 / UBTU-24-900590V-260642 / UBTU-22-654200

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:full
#audit#auditd#watch