Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======4.1.8 Ensure login and logout events are collected (Scored)====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file ''/var/log/lastlog'' maintain records of the last time a user successfully logged in. The ''/var/run/failock'' directory maintains records of login failures via the ''pam_faillock'' module. =====Rationale===== Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. =====Audit===== Run the following command and verify output matches: <Code:bash> # grep logins /etc/audit/audit.rules -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins </Code> =====Remediation===== Add the following lines to the /etc/audit/audit.rules file: <Code:bash> -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins </Code> centos7/4/1/8.txt Last modified: 2017/05/04 18:07by Piotr Kłoczewski