OPENSCAP-4948 - Use modern audit watches in audit_rules_session_events

controls/anssi.yml

@@ -1492,7 +1492,9 @@ controls:
     - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog
 
-    - audit_rules_session_events
+    - audit_rules_session_events_utmp
+    - audit_rules_session_events_btmp
+    - audit_rules_session_events_wtmp
 
     - audit_rules_time_adjtimex
     - audit_rules_time_clock_settime

controls/ccn_rhel9.yml

@@ -50,7 +50,9 @@ controls:
       - advanced
     status: automated
     rules:
-      - audit_rules_session_events
+      - audit_rules_session_events_utmp
+      - audit_rules_session_events_btmp
+      - audit_rules_session_events_wtmp
       - audit_rules_login_events_faillock
       - audit_rules_login_events_lastlog
 

controls/cis_rhel10.yml

@@ -2597,7 +2597,9 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_session_events
+      - audit_rules_session_events_utmp
+      - audit_rules_session_events_btmp
+      - audit_rules_session_events_wtmp
 
   - id: 6.3.3.12
     title: Ensure login and logout events are collected (Automated)

controls/cis_rhel8.yml

@@ -2531,7 +2531,9 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_session_events
+      - audit_rules_session_events_utmp
+      - audit_rules_session_events_btmp
+      - audit_rules_session_events_wtmp
 
   - id: 5.2.3.12
     title: Ensure login and logout events are collected (Automated)

controls/cis_rhel9.yml

@@ -2685,7 +2685,9 @@ controls:
       - l2_workstation
     status: automated
     rules:
-      - audit_rules_session_events
+      - audit_rules_session_events_utmp
+      - audit_rules_session_events_btmp
+      - audit_rules_session_events_wtmp
 
   - id: 6.3.3.12
     title: Ensure login and logout events are collected (Automated)

controls/hipaa.yml

@@ -122,7 +122,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group
@@ -283,7 +285,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group
@@ -475,7 +479,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group
@@ -1203,7 +1209,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group
@@ -1339,7 +1347,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group
@@ -1505,7 +1515,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group
@@ -1600,7 +1612,9 @@ controls:
             - audit_rules_mac_modification_usr_share
             - audit_rules_media_export
             - audit_rules_networkconfig_modification
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_sysadmin_actions
             - audit_rules_system_shutdown
             - audit_rules_usergroup_modification_group

controls/ism_o.yml

@@ -125,7 +125,9 @@ controls:
             - audit_access_success_aarch64
             - audit_access_success_ppc64le
             - audit_rules_privileged_commands
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_unsuccessful_file_modification_creat
             - audit_rules_unsuccessful_file_modification_open
             - audit_rules_unsuccessful_file_modification_openat
@@ -149,7 +151,9 @@ controls:
             - audit_access_success_aarch64
             - audit_access_success_ppc64le
             - audit_rules_privileged_commands
-            - audit_rules_session_events
+            - audit_rules_session_events_utmp
+            - audit_rules_session_events_btmp
+            - audit_rules_session_events_wtmp
             - audit_rules_unsuccessful_file_modification_creat
             - audit_rules_unsuccessful_file_modification_open
             - audit_rules_unsuccessful_file_modification_openat

controls/pcidss_4.yml

@@ -2694,7 +2694,9 @@ controls:
           - audit_rules_login_events_faillock
           - audit_rules_login_events_lastlog
           - audit_rules_login_events_tallylog
-          - audit_rules_session_events
+          - audit_rules_session_events_utmp
+          - audit_rules_session_events_btmp
+          - audit_rules_session_events_wtmp
           - audit_sudo_log_events
         related_rules:
           # This rule incorportes faillock, lastlog and tallylog. It is redundant to keep it.

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_btmp/rule.yml

@@ -15,11 +15,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86196-3
+    cce@rhel9: CCE-86198-9
+    cce@rhel10: CCE-86190-6
     cce@sle15: CCE-85758-1
     cce@slmicro5: CCE-93725-0
 
 references:
     disa: CCI-000172
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     nist: AU-12(c),AU-12.1(iv)
     srg: SRG-OS-000472-GPOS-00217
     stigid@sle15: SLES-15-030780
@@ -36,6 +40,3 @@ template:
     vars:
         path: /var/log/btmp
         key: session
-    backends:
-        ansible: "off"
-        bash: "off"

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_utmp/rule.yml

@@ -6,7 +6,7 @@ title: 'Record Attempts to Alter Process and Session Initiation Information utmp
 description: |-
     The audit system already collects process information for all
     users and root.
-    {{{ describe_audit_rules_watch("/run/utmp", "session") }}}
+    {{{ describe_audit_rules_watch("/var/run/utmp", "session") }}}
 
 rationale: |-
     Manual editing of these files may indicate nefarious activity, such
@@ -15,11 +15,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86199-7
+    cce@rhel9: CCE-86202-9
+    cce@rhel10: CCE-86193-0
     cce@sle15: CCE-85714-4
     cce@slmicro5: CCE-93723-5
 
 references:
     disa: CCI-000172
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     nist: AU-12(c),AU-12.1(iv)
     srg: SRG-OS-000472-GPOS-00217
     stigid@sle15: SLES-15-030760
@@ -29,13 +33,10 @@ references:
 ocil_clause: 'Audit rule is not present'
 
 ocil: |-
-    {{{ ocil_audit_rules_watch("/run/utmp", "session") }}}
+    {{{ ocil_audit_rules_watch("/var/run/utmp", "session") }}}
 
 template:
     name: audit_rules_watch
     vars:
-        path: /run/utmp
+        path: /var/run/utmp
         key: session
-    backends:
-        ansible: "off"
-        bash: "off"

linux_os/guide/auditing/auditd_configure_rules/audit_rules_session_events_wtmp/rule.yml

@@ -15,11 +15,15 @@ rationale: |-
 severity: medium
 
 identifiers:
+    cce@rhel8: CCE-86204-5
+    cce@rhel9: CCE-86203-7
+    cce@rhel10: CCE-86206-0
     cce@sle15: CCE-85757-3
     cce@slmicro5: CCE-93724-3
 
 references:
     disa: CCI-000172
+    hipaa: 164.308(a)(1)(ii)(D),164.308(a)(3)(ii)(A),164.308(a)(5)(ii)(C),164.312(a)(2)(i),164.312(b),164.312(d),164.312(e)
     nist: AU-12(c),AU-12.1(iv)
     srg: SRG-OS-000472-GPOS-00217
     stigid@sle15: SLES-15-030770
@@ -36,6 +40,4 @@ template:
     vars:
         path: /var/log/wtmp
         key: session
-    backends:
-        ansible: "off"
-        bash: "off"
+