← Rules Catalog
mediumauditverified ✓✓rollback-safe

Audit access to /var/log/faillog (Ubuntu)

audit-watch-faillog · UBUNTU ≥ 22 · 1 impl

Description

Modifications to /var/log/faillog must generate an audit record so that failed login attempts can be traced to an individual.

Rationale

Auditing this path supports detection of unauthorized changes and forensic reconstruction of events.

Check → Remediate

Checkaudit_rule_exists
rule:
-w /var/log/faillog -p wa -k logins
Remediateaudit_rule_set
rule:
-w /var/log/faillog -p wa -k logins
persist_file:
/etc/audit/rules.d/50-watch-faillog.rules

Framework references

STIG

V-270796 / UBTU-24-900250V-260644 / UBTU-22-654210

NIST 800-53

AU-2AU-12

Live verification

ubuntu22:checkubuntu24:checkubuntu24:remediate
#audit#auditd#watch