4.1.8 Ensure login and logout events are collected - /var/run/faillock/

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Add the following lines to the /etc/audit/audit.rules file:
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

See Also

https://workbench.cisecurity.org/files/1859

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-12, CSCv6|5.5, CSCv6|16.4, CSCv6|16.10

Plugin: Unix

Control ID: b854da2fb4b1e5934779d975f93065bf9bd41eb60449a646e7703639fca2df88