Differences

This shows you the differences between two versions of the page.

Link to this comparison view

centos7:4:1:8 [2017/05/04 16:07] (current)
Piotr Kłoczewski created
Line 1: Line 1:
 +======4.1.8 Ensure login and logout events are collected (Scored)======
 +=====Profile Applicability=====  ​
 +<​code>​
 +Level 2 - Server
 +Level 2 - Workstation ​
 +</​code>​
 +
 +=====Description=====
 +Monitor login and logout events. The parameters below track changes to files associated with login/​logout events. The file ''/​var/​log/​lastlog''​ maintain records of the last time a user successfully logged in. The ''/​var/​run/​failock''​ directory maintains records of login failures via the ''​pam_faillock''​ module.
 +
 +=====Rationale=====
 +Monitoring login/​logout events could provide a system administrator with information associated with brute force attacks against user logins.
 +
 +=====Audit===== ​
 +Run the following command and verify output matches:
 +<​Code:​bash>​
 +# grep logins /​etc/​audit/​audit.rules ​
 +-w /​var/​log/​lastlog -p wa -k logins ​
 +-w /​var/​run/​faillock/​ -p wa -k logins
 +</​Code>​
 +
 +=====Remediation===== ​
 +Add the following lines to the /​etc/​audit/​audit.rules file:
 +<​Code:​bash>​
 +-w /​var/​log/​lastlog -p wa -k logins ​
 +-w /​var/​run/​faillock/​ -p wa -k logins
 +</​Code>​