Information
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains a tally of failed logins associated with programs that use pam for authentication and have the pam_tally2.so module configured. The file /var/log/btmp keeps track of failed login attempts and can be read by entering the command /usr/bin/last -f /var/log/btmp. All audit records will be tagged with the identifier 'logins.'
Rationale:
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Solution
Add the following lines to the /etc/audit/audit.rules file.
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/log/btmp -p wa -k session
Execute the following command to restart auditd
# pkill -P 1-HUP auditd
Default Value:
OS Default: N/A