4.1.8 Ensure login and logout events are collected - /var/run/faillock/

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

See Also

https://workbench.cisecurity.org/files/1861

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|5.5, CSCv6|16.4, CSCv6|16.10

Plugin: Unix

Control ID: 420a8e06e73775174166c804ee14c61ca6683d3c5b9a157d007513c52ade173e