RHEL-09-654250 - RHEL 9 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.

Information

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.

Satisfies: SRG-OS-000392-GPOS-00172, SRG-OS-000470-GPOS-00214, SRG-OS-000473-GPOS-00218

Solution

Configure RHEL 9 to generate audit records for all account creations, modifications, disabling, and termination events that affect '/var/log/faillock'.

Add or update the following file system rule to '/etc/audit/rules.d/audit.rules':

-w /var/log/faillock -p wa -k logins

The audit daemon must be restarted for the changes to take effect.

$ sudo service auditd restart

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_9_V2R2_STIG.zip

Item Details

Category: AUDIT AND ACCOUNTABILITY, MAINTENANCE

References: 800-53|AU-12c., 800-53|MA-4(1)(a), CAT|II, CCI|CCI-000172, CCI|CCI-002884, Rule-ID|SV-258224r1014988_rule, STIG-ID|RHEL-09-654250, Vuln-ID|V-258224

Plugin: Unix

Control ID: a1ddb5c5459f763e110ccef421a16e8438bcdf2b0342608d8d1728b5e753426a