4.1.7 Ensure login and logout events are collected - auditctl faillog

Information

Monitor login and logout events. The parameters below track changes to files associated with login/logout events.

The file /var/log/faillog tracks failed events from login.

The file /var/log/lastlog maintain records of the last time a user successfully logged in.

The /var/run/faillock/ directory maintains records of login failures via the pam_faillock module.

The file /var/log/tallylog maintains records of failures via the pam_tally2 module

Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.

Rationale:

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/logins.rules
and add the following lines:

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins

IF the pam_faillock.so module is used:
Also include the line:

-w /var/run/faillock/ -p wa -k logins

OR IF the pam_tally2.so module is used:
Also include the line:

-w /var/log/tallylog -p wa -k logins

See Also

https://workbench.cisecurity.org/files/2925

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2(12), 800-53|AC-11, 800-53|AU-3, CSCv7|4.9, CSCv7|16.11, CSCv7|16.13

Plugin: Unix

Control ID: e193af1dc71ef5c523e6257d63c65e2728d0a37c8b93e059a539302e4df82122