Show pageOld revisionsBacklinksBack to top This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. ======4.1.8 Ensure login and logout events are collected (Scored)====== =====Profile Applicability===== <code> Level 2 - Server Level 2 - Workstation </code> =====Description===== Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file ''/var/log/faillog'' tracks failed events from login. The file ''/var/log/lastlog'' maintain records of the last time a user successfully logged in. The file ''/var/log/tallylog'' maintains records of failures via the ''pam_tally2'' module =====Rationale===== Monitoring login/logout events could provide a system administrator with information associated with brute force attacks against user logins. =====Audit===== Run the following command and verify output matches: <Code:bash> # grep logins /etc/audit/audit.rules -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins </Code> =====Remediation===== Add the following lines to the /etc/audit/audit.rules file: <Code:bash> -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins </Code> ubuntu1604/4/1/8.txt Last modified: 2017/05/02 15:16by Piotr Kłoczewski