← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit modifications to /var/log/lastlog

audit-file-lastlog · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl

Description

Changes to /var/log/lastlog must be audited. This file records the last login time for each user account.

Rationale

Auditing changes to lastlog allows detection of attempts to manipulate login records or hide unauthorized access.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/lastlog -p wa -k logins
Remediateaudit_rule_set
rule:
-w /var/log/lastlog -p wa -k logins
persist_file:
/etc/audit/rules.d/50-logins.rules

Framework references

STIG

V-258225 / RHEL-09-654255V-230467V-270797 / UBTU-24-900260V-260645 / UBTU-22-654215

NIST 800-53

AU-2AU-12AC-7

Live verification

rhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#lastlog#logins