Information
Monitor login and logout events. The parameters below track changes to files associated with login/logout events.
/var/log/lastlog - maintain records of the last time a user successfully logged in.
/var/run/faillock - directory maintains records of login failures via the pam_faillock module.
Rationale:
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events.
Example:
# printf '
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
' >> /etc/audit/rules.d/50-login.rules
Merge and load the rules into active configuration:
# augenrules --load
Check if reboot is required.
# if [[ $(auditctl -s | grep 'enabled') =~ '2' ]]; then printf 'Reboot required to load rules
'; fi