5.3.9 Collect Login and Logout Events - /var/log/lastlog

Information

Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains a tally of failed logins associated with programs that use pam for authentication and have the pam_tally2.so module configured. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier 'logins.'

Rationale:

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Add the following lines to the /etc/audit/audit.rules file.

-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/log/btmp -p wa -k session

Execute the following command to restart auditd

# pkill -P 1-HUP auditd

Default Value:

OS Default: N/A

See Also

https://workbench.cisecurity.org/files/3096

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2(12), 800-53|AU-3, CSCv7|4.9, CSCv7|16.13

Plugin: Unix

Control ID: 25cf59034b7efcd9f5903f863229849041de3025c001b2b6e9df127d2b6e76b3