RHEL-10-500750 - RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".

Information

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218

Solution

Configure RHEL 10 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-a always,exit -F arch=b32 -F path=/var/log/faillock -F perm=wa -F key=identity
-a always,exit -F arch=b64 -F path=/var/log/faillock -F perm=wa -F key=identity

Restart the audit daemon with the following command for the changes to take effect:

$ sudo service auditd restart

Item Details

Audit Name: DISA Red Hat Enterprise Linux 10 STIG v1r1

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

Plugin: Unix

Control ID: 4e6db44acb4bcee3f8c1685562dc7345fad4b3885e10754452dae8d2bdcbd690

Detections

Analytics

RHEL-10-500750 - RHEL 10 must generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/faillock".

Information

Solution

See Also

Item Details