ComplianceAsCode · vojtapolasek · May 12, 2021 · Apr 30, 2021 · May 10, 2021 · May 10, 2021
diff --git a/...system/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/ansible/shared.yml b/...system/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/ansible/shared.yml
@@ -0,0 +1,8 @@
+# platform = multi_platform_sle
+# reboot = true
+# strategy = restrict
+# complexity = low
+# disruption = low
+
+{{{ ansible_audit_augenrules_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}}
+{{{ ansible_audit_auditctl_add_watch_rule(path='/var/log/wtmp', permissions='wa', key='session') }}}
diff --git a/...ide/system/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/bash/shared.sh b/...ide/system/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/bash/shared.sh
@@ -0,0 +1,9 @@
+# platform = multi_platform_sle
+
+# Include source function library.
+. /usr/share/scap-security-guide/remediation_functions
+
+# Perform the remediation
+# Perform the remediation for both possible tools: 'auditctl' and 'augenrules'
+fix_audit_watch_rule "auditctl" "/var/log/wtmp" "wa" "session"
+fix_audit_watch_rule "augenrules" "/var/log/wtmp" "wa" "session"
diff --git a/..._os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml b/..._os/guide/system/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml
@@ -0,0 +1,48 @@
+documentation_complete: true
+
+prodtype: sle15
+
+title: 'Record Attempts to Alter Process and Session Initiation Information wtmp'
+
+description: |-
+    The audit system already collects process information for all
+    users and root. If the <tt>auditd</tt> daemon is configured to use the
+    <tt>augenrules</tt> program to read audit rules during daemon startup (the
+    default), add the following lines to a file with suffix <tt>.rules</tt> in the
+    directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
+    edits of files involved in storing such process information:
+    <pre> -w /var/log/wtmp -p wa -k session</pre>
+    If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
+    utility to read audit rules during daemon startup, add the following lines to
+    <tt>/etc/audit/audit.rules</tt> file in order to watch for attempted manual
+    edits of files involved in storing such process information:
+    <pre> -w /var/log/wtmp -p wa -k session</pre>
+
+rationale: |-
+    Manual editing of these files may indicate nefarious activity, such
+    as an attacker attempting to remove evidence of an intrusion.
+
+severity: medium
+
+identifiers:
+    cce@sle15: CCE-85757-3
+
+references:
+    stigid@sle15: SLES-15-030770 
+    srg: SRG-OS-000472-GPOS-00217
+    disa: CCI-000172
+    nist: AU-12(c),AU-12.1(iv)
+
+ocil_clause: 'Audit rule is not present'
+
+ocil: |-
+    Check that the file is being audited by performing the following command:
+    <pre> sudo auditctl -l | grep -w '/var/log/wtmp'</pre>
+
+template:
+    name: audit_rules_login_events
+    vars:
+        path: /var/log/wtmp
+    backends:
+        ansible: "off"
+        bash: "off"
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-w /var/log/wtmp -p wa -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+rm -f /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
@@ -0,0 +1,4 @@
+#!/bin/bash
+
+echo "-w /var/log/something -p wa -k logins" >> /etc/audit/audit.rules
+sed -i "s%^ExecStartPost=.*%ExecStartPost=-/sbin/auditctl%" /usr/lib/systemd/system/auditd.service
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+
+mkdir -p /etc/audit/rules.d
+echo "-w /var/log/wtmp -p wa -k logins" >> /etc/audit/rules.d/login.rules
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+
+mkdir -p /etc/audit/rules.d
+rm -f /etc/audit/rules.d/*
+> /etc/audit/audit.rules
@@ -0,0 +1,5 @@
+#!/bin/bash
+
+
+mkdir -p /etc/audit/rules.d
+echo "-w /var/log/something -p wa -k logins" >> /etc/audit/rules.d/login.rules
diff --git a/sle15/profiles/stig.profile b/sle15/profiles/stig.profile
@@ -120,6 +120,7 @@ selections:
     - audit_rules_privileged_commands_sudoedit
     - audit_rules_privileged_commands_umount
     - audit_rules_session_events_utmp
+    - audit_rules_session_events_wtmp
     - audit_rules_suid_privilege_function
     - audit_rules_sysadmin_actions
     - audit_rules_unsuccessful_file_modification_creat