← Rules Catalog
mediumauditverified rollback-safe

Audit modifications to /var/log/faillock

audit-file-faillock · RHEL ≥ 8 · 1 impl

Description

Changes to /var/log/faillock must be audited. This directory contains account lockout information for failed login attempts.

Rationale

Auditing changes to faillock allows detection of attempts to manipulate account lockout status.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/faillock -p wa -k logins
Remediateaudit_rule_set
rule:
-w /var/log/faillock -p wa -k logins
persist_file:
/etc/audit/rules.d/50-logins.rules

Framework references

STIG

V-258224 / RHEL-09-654250V-230466

NIST 800-53

AU-2AU-12AC-7

Live verification

rhel8:checkrhel9:check
#audit#auditd#faillock#lockout