mediumauditverified ✓rollback-safe
Audit modifications to /var/log/faillock
audit-file-faillock · RHEL ≥ 8 · 1 impl
Description
Changes to /var/log/faillock must be audited. This directory contains account lockout information for failed login attempts.
Rationale
Auditing changes to faillock allows detection of attempts to manipulate account lockout status.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /var/log/faillock -p wa -k logins
Remediateaudit_rule_set
- rule:
- -w /var/log/faillock -p wa -k logins
- persist_file:
- /etc/audit/rules.d/50-logins.rules
Framework references
STIG
V-258224 / RHEL-09-654250V-230466
NIST 800-53
AU-2AU-12AC-7
Live verification
rhel8:checkrhel9:check
#audit#auditd#faillock#lockout