From 25cc2c12b583d458cc7aa225aeeab665533a2d7c Mon Sep 17 00:00:00 2001
From: samson <sccxboy@gmail.com>
Date: Tue, 30 Oct 2018 04:18:56 +0800
Subject: [PATCH] Add description for 8.1.26

---
 .../8.1.26_record_pam_tally_cmd_usage.sh      |  2 +-
 .../harbian_audit_Debian_9_Benchmark_v0.1.mkd | 26 +++++++++++++++++++
 2 files changed, 27 insertions(+), 1 deletion(-)

diff --git a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
index d11cb70..d824fe8 100755
--- a/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
+++ b/bin/hardening/8.1.26_record_pam_tally_cmd_usage.sh
@@ -6,7 +6,7 @@
 
 #
 # 8.1.26  Recored pam_tally/pam_tally2 command usage (Scored)
-# Authors : Samson wen, Samson <sccxboy@gmail.com>
+# Authors : Samson wen, Samson <sccxboy@gmail.com> Author add this 
 #
 
 set -e # One error, it's over
diff --git a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
index 9ec2b4b..32b4b8e 100644
--- a/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
+++ b/docs/harbian_audit_Debian_9_Benchmark_v0.1.mkd
@@ -314,6 +314,32 @@ Fixtext: Configure the operating system to generate audit records when successfu
 ```
 The audit daemon must be restarted for the changes to take effect.
 
+## 8.1.26 Recored pam_tally/pam_tally2 command usage (scored)
+
+### Profile Applicability
+Level 4
+
+### Description
+All uses of the pam_tally/pam_tally2 command must be audited.
+
+### Rationale
+Without generating audit records that are specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.
+
+### Aduit
+Verify the operating system generates audit records when successful/unsuccessful attempts to use the "pam_tally/pam_tally2" command occur. Check the auditing rules in "/etc/audit/audit.rules" with the following command:
+```
+# grep "/sbin/pam_tally[2]*" /etc/audit/audit.rules
+-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295  -k privileged-pam
+-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295  -k privileged-pam
+```
+If the command does not return any output, this is a finding.
+
+Fixtext: Configure the operating system to generate audit records when successful/unsuccessful attempts to use the "pam_tally/pam_tally2" command occur. Add or update the following rule in "/etc/audit/rules.d/audit.rules": 
+```
+-a always,exit -F path=/sbin/pam_tally -F perm=wxa -F auid>=1000 -F auid!=4294967295  -k privileged-pam
+-a always,exit -F path=/sbin/pam_tally2 -F perm=wxa -F auid>=1000 -F auid!=4294967295  -k privileged-pam
+```
+The audit daemon must be restarted for the changes to take effect.
 
 ## 8.5 Verifies integrity all packages (scored)