Detections
Analytics
4.1.8 Ensure login and logout events are collected - /var/run/faillock/
Information
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.Solution
Add the following lines to the /etc/audit/audit.rules file:-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
See Also
https://benchmarks.cisecurity.org/tools2/linux/CIS_Amazon_Linux_Benchmark_v2.0.0.pdf
Item Details
Audit Name: CIS Amazon Linux v2.0.0 L2
Category: AUDIT AND ACCOUNTABILITY
References: 800-53|AU-12
Plugin: Unix
Control ID: 92e32f84b61081bce95671de885abff6c91ca3a2156407d5273186067b2492cb