The audit system already collects process information for all
users and root. To watch for attempted manual edits of files involved in
storing such process information, add the following to
'/etc/audit/audit.rules':
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
[yes/no]
Manual editing of these files may indicate nefarious activity, such
as an attacker attempting to remove evidence of an intrusion.
oval:org.secpod.oval:def:31082
oval:org.secpod.oval:def:30359
SCAP Repo OVAL Definition
2015-11-13