Detections
Analytics

1.440 RHEL-09-654250

Information

RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.

GROUP ID: V-258224
RULE ID: SV-258224r1014988

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218

Solution

Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-w /var/log/faillock -p wa -k logins

The audit daemon must be restarted for the changes to take effect.

$ sudo service auditd restart

See Also

https://workbench.cisecurity.org/benchmarks/22008

Item Details

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

References: 800-53|AU-12c., 800-53|MA-4(1), CAT|II, CCI|CCI-000172, CCI|CCI-002884, Rule-ID|SV-258224r1014988_rule, STIG-ID|RHEL-09-654250, Vuln-ID|V-258224

Plugin: Unix

Control ID: d18188fee6ee7a261d37822f4804925a928fede0383f60aaa153ea0b2083f764