Information
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The /var/run/failock directory maintains records of login failures via the pam_faillock module.
Rationale:
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Solution
Add the following lines to the /etc/audit/rules.d/audit.rules file:
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins