======4.1.8 Ensure login and logout events are collected (Scored)======
=====Profile Applicability=====  
<code>
Level 2 - Server
Level 2 - Workstation 
</code>

=====Description=====
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file ''/var/log/lastlog'' maintain records of the last time a user successfully logged in. The ''/var/run/failock'' directory maintains records of login failures via the ''pam_faillock'' module.

=====Rationale=====
Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins.

=====Audit===== 
Run the following command and verify output matches:
<Code:bash>
# grep logins /etc/audit/audit.rules 
-w /var/log/lastlog -p wa -k logins 
-w /var/run/faillock/ -p wa -k logins
</Code>

=====Remediation===== 
Add the following lines to the /etc/audit/audit.rules file:
<Code:bash>
-w /var/log/lastlog -p wa -k logins 
-w /var/run/faillock/ -p wa -k logins
</Code>