Details
Monitor login and logout events. The parameters below track changes to files associated
with login/logout events. The file /var/log/faillog tracks failed events from login. The file
/var/log/lastlog maintain records of the last time a user successfully logged in. The file
/var/log/tallylog maintains records of failures via the pam_tally2 module
*Rationale*
Monitoring login/logout events could provide a system administrator with information
associated with brute force attacks against user logins.
Solution
Add the following lines to the /etc/audit/audit.rules file.-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
# Execute the following command to restart auditd
# pkill -HUP -P 1 auditd
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.