======4.1.9 Ensure session initiation information is collected (Scored)======
=====Profile Applicability=====  
<code>
Level 2 - Server
Level 2 - Workstation 
</code>

=====Description=====
Monitor session initiation events. The parameters in this section track changes to the files associated with session events. The file ''/var/run/utmp'' file tracks all currently logged in users. The ''/var/log/wtmp'' file tracks logins, logouts, shutdown, and reboot events. All audit records will be tagged with the identifier "session." The file ''/var/log/btmp'' keeps track of failed login attempts and can be read by entering the command ''/usr/bin/last -f /var/log/btmp''. All audit records will be tagged with the identifier "logins."

=====Rationale=====
Monitoring these files for changes could alert a system administrator to logins occurring at unusual hours, which could indicate intruder activity (i.e. a user logging in at a time when they do not normally log in).

=====Audit===== 
Run the following command and verify output matches:
<Code:bash>
# grep session /etc/audit/audit.rules 
-w /var/run/utmp -p wa -k session 
-w /var/log/wtmp -p wa -k session 
-w /var/log/btmp -p wa -k session
</Code>

=====Remediation===== 
Add the following lines to the /etc/audit/audit.rules file:
<Code:bash>
-w /var/run/utmp -p wa -k session 
-w /var/log/wtmp -p wa -k session 
-w /var/log/btmp -p wa -k session
</Code>

=====Notes===== 
The ''last'' command can be used to read ''/var/log/wtmp'' (last with no parameters) and ''/var/run/utmp'' (''last -f /var/run/utmp'')