Detections
Analytics

4.1.3.13 Ensure login and logout events are collected - faillock

Information

Monitor login and logout events. The parameters below track changes to files associated with login/logout events.

The file /var/log/lastlog maintain records of the last time a user successfully logged in.

The /var/run/faillock/ directory maintains records of login failures via the pam_faillock module.

Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.

Rationale:

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-logins.rules
Add the following lines:

-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

See Also

https://workbench.cisecurity.org/files/3636

Item Details

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

References: 800-53|AU-2d., 800-53|AU-12c., 800-53|MA-4(1)(a), CCI|CCI-000126, CCI|CCI-000172, CCI|CCI-002884, CSCv7|4.9, CSCv7|6.2, CSCv7|16.13, Rule-ID|SV-204540r603261_rule, Rule-ID|SV-204541r603261_rule, STIG-ID|RHEL-07-030610

Plugin: Unix

Control ID: 657959072d13ed0178d7135ab0bd731c9747744847c2a04677a51e02fc91023b