4.1.3.12 Ensure login and logout events are collected

Information

Monitor login and logout events. The parameters below track changes to files associated with login/logout events.

- /var/log/lastlog - maintain records of the last time a user successfully logged in.
- /var/run/faillock - directory maintains records of login failures via the pam_faillock module.

Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

Solution

Edit or create a file in the /etc/audit/rules.d/ directory, ending inrules extension, with the relevant rules to monitor login and logout events.

Example:

# printf "
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
" >> /etc/audit/rules.d/50-login.rules

Merge and load the rules into active configuration:

# augenrules --load

Check if reboot is required.

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules
"; fi

See Also

https://workbench.cisecurity.org/files/4239