Information
Monitor login and logout events. The parameters below track changes to files associated with login/logout events.
- The file /var/log/faillog tracks failed events from login.
- The file /var/log/lastlog maintain records of the last time a user successfully logged in.
- The file /var/log/tallylog maintains records of failures via the pam_tally2 module
Note: Reloading the auditd config to set active settings requires the auditd service to be restarted, and may require a system reboot.
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory ending inrules
Example: vi /etc/audit/rules.d/logins.rules
and add the following lines:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins