mediumaccess-controlverified ✓rollback-safe
Enable audit logging for failed logon attempts
pam-faillock-audit · RHEL ≥ 8 · 1 impl
Description
The audit option in /etc/security/faillock.conf must be enabled so that username information is logged when unsuccessful logon attempts occur.
Rationale
Without auditing of failed logon attempts, it is difficult to detect brute-force attacks or unauthorized access attempts. The audit option causes pam_faillock to send information about failed attempts to the audit log.
Check → Remediate
Checkconfig_value
- path:
- /etc/security/faillock.conf
- key:
- audit
Remediateconfig_append
- path:
- /etc/security/faillock.conf
- line:
- audit
Framework references
STIG
V-281100 / RHEL-10-500020V-258070 / RHEL-09-412045V-230342V-230343 / RHEL-08-020021
NIST 800-53
AU-2AC-7
Live verification
rhel8:checkrhel9:check
#pam#authentication#faillock#audit