mediumauditunverified
Audit write/attribute changes to /var/log/faillock (RHEL 10)
audit-faillock-write-rhel10 · RHEL ≥ 10 · 1 impl
Description
On RHEL 10, record write and attribute changes to /var/log/faillock via the syscall-form audit rule (RHEL 10 deprecated the legacy -w watch form).
Rationale
Auditing changes to account-lockout files supports detection of unauthorized modification and forensic reconstruction.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -a always,exit -F path=/var/log/faillock -F perm=wa
Remediatemanual
- note:
- Add `-a always,exit -F arch=b64 -F path=/var/log/faillock -F perm=wa -k identity` (and the b32 form) to /etc/audit/rules.d/ and augenrules --load.
Framework references
STIG
V-281161 / RHEL-10-500750
NIST 800-53
AU-12AC-6
#audit#faillock#stig