Information
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module
Rationale:
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/audit.rules
and add the following lines:
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
Notes:
Reloading the auditd config to set active settings may require a system reboot.
This Benchmark recommendation maps to:
Red Hat Enterprise Linux 7 Security Technical Implementation Guide:
Version 2, Release: 3 Benchmark Date: 26 Apr 2019
Vul ID: V-72145
Rule ID: SV-86769r4_rule
STIG ID: RHEL-07-030610
Severity: CAT II
Vul ID: V-72147
Rule ID: SV-86771r3_rule
STIG ID: RHEL-07-030620
Severity: CAT II