- 필수 기능
- 앱 내
- 서비스 관리
- 인프라스트럭처
- 애플리케이션 성능
- 디지털 경험
- 소프트웨어 제공
- 보안
- 로그 관리
- 관리
- 인프라스트럭처
- ci
- containers
- csm
- ndm
- otel_guides
- overview
- slos
- synthetics
- tests
- 워크플로
The audit system already collects login information for all users
and root. If the auditd
daemon is configured to use the
augenrules
program to read audit rules during daemon startup (the
default), add the following lines to a file with suffix .rules
in the
directory /etc/audit/rules.d
in order to watch for attempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w -p wa -k logins
-w /var/log/lastlog -p wa -k logins
If the auditd
daemon is configured to use the auditctl
utility to read audit rules during daemon startup, add the following lines to
/etc/audit/audit.rules
file in order to watch for unattempted manual
edits of files involved in storing logon events:
-w /var/log/tallylog -p wa -k logins
-w -p wa -k logins
-w /var/log/lastlog -p wa -k logins
Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion.
This rule checks for multiple syscalls related to login events; it was written with DISA STIG in mind. Other policies should use a separate rule for each syscall that needs to be checked. For example:
audit_rules_login_events_tallylog
audit_rules_login_events_faillock
audit_rules_login_events_lastlog