>From b06fbb2086ee501fbbcd9e184fd3162a003d4b6e Mon Sep 17 00:00:00 2001 From: Shawn Wells Date: Sat, 25 Feb 2012 17:02:50 -0500 Subject: [PATCH 22/24] Updated audit_login_config to include PAM config - Updated audit_login_config to include PAM configuration files --- rhel6/src/input/system/auditing.xml | 11 ++++++++++- 1 files changed, 10 insertions(+), 1 deletions(-) diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index fc618d0..a8d7b67 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -196,7 +196,16 @@ to capture events that modify account changes: -w /etc/securetty -p wa -k audit_login_config -w /var/run/faillock -p wa -k audit_login_config -w /var/log/lastlog -p wa -k audit_login_config --w /var/log/tallylog -p wa -k audit_login_config +-w /var/log/tallylog -p wa -k audit_login_config +-w /etc/pam.d/ -p wa -k audit_login_config +-w /etc/security/access.conf -p wa -k audit_login_config +-w /etc/security/limits.conf -p wa -k audit_login_config +-w /etc/security/pam_env.conf -p wa -k audit_login_config +-w /etc/security/namespace.conf -p wa -k audit_login_config +-w /etc/security/namespace.d/ -p wa -k audit_login_config +-w /etc/security/namespace.init -p wa -k audit_login_config +-w /etc/security/sepermit.conf -p wa -k audit_login_config +-w /etc/security/time.conf -p wa -k audit_login_config Alterations to login configuration files could indicate malicious intent, such as automatically running an executable upon every users login. -- 1.7.1