mediumauditverified ✓✓rollback-safe
Audit modifications to /var/log/lastlog
audit-file-lastlog · RHEL ≥ 8, UBUNTU ≥ 22 · 1 impl
Description
Changes to /var/log/lastlog must be audited. This file records the last login time for each user account.
Rationale
Auditing changes to lastlog allows detection of attempts to manipulate login records or hide unauthorized access.
Check → Remediate
Checkaudit_rule_exists
- rule:
- -w /var/log/lastlog -p wa -k logins
Remediateaudit_rule_set
- rule:
- -w /var/log/lastlog -p wa -k logins
- persist_file:
- /etc/audit/rules.d/50-logins.rules
Framework references
STIG
V-258225 / RHEL-09-654255V-230467V-270797 / UBTU-24-900260V-260645 / UBTU-22-654215
NIST 800-53
AU-2AU-12AC-7
Live verification
rhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#lastlog#logins