The audit system already collects process information for all users and root. To watch for attempted manual edits of files involved in storing such process information, add the following to '/etc/audit/audit.rules': -w /var/run/utmp -p wa -k session -w /var/log/btmp -p wa -k session -w /var/log/wtmp -p wa -k session [yes/no] Manual editing of these files may indicate nefarious activity, such as an attacker attempting to remove evidence of an intrusion. oval:org.secpod.oval:def:48805 oval:org.secpod.oval:def:48292 SCAP Repo OVAL Definition 2018-11-08