Detections
Analytics
RHEL-09-412045 - RHEL 9 must log username information when unsuccessful logon attempts occur.
Information
Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.Solution
Configure RHEL 9 to log username information when unsuccessful logon attempts occur.Enable the feature using the following command:
$ sudo authselect enable-feature with-faillock
Add/modify the "/etc/security/faillock.conf" file to match the following line:
audit
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R8_STIG.zip
Item Details
Audit Name: DISA Red Hat Enterprise Linux 9 STIG v2r8
Category: ACCESS CONTROL
References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-258070r1045153_rule, STIG-ID|RHEL-09-412045, Vuln-ID|V-258070
Plugin: Unix
Control ID: f109e82f754d43f1c8686963cf4d51d282999df67f553f9fa1559b9a7bcc0f5e