Details
Monitor login and logout events. The parameters below track changes to files associated with login/logout events.
The file /var/log/lastlog maintain records of the last time a user successfully logged in.
The /var/run/faillock/ directory maintains records of login failures via the pam_faillock module.
Rationale:
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.
Solution
Edit or create a file in the /etc/audit/rules.d/ directory ending in .rules
Example: vi /etc/audit/rules.d/50-logins.rules
Add the following lines:
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
Additional Information:
Reloading the auditd config to set active settings may require a system reboot.
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Audit and Accountability.This control applies to the following type of system Unix.