4.1.8 Ensure login and logout events are collected - /var/run/faillock/

Information

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

See Also

https://workbench.cisecurity.org/files/1863

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12c., CSCv6|5.5, CSCv6|16.4, CSCv6|16.10

Plugin: Unix

Control ID: 92e32f84b61081bce95671de885abff6c91ca3a2156407d5273186067b2492cb