← Rules Catalog
mediumaccess-controlverified rollback-safe

Enable audit logging for failed logon attempts

pam-faillock-audit · RHEL ≥ 8 · 1 impl

Description

The audit option in /etc/security/faillock.conf must be enabled so that username information is logged when unsuccessful logon attempts occur.

Rationale

Without auditing of failed logon attempts, it is difficult to detect brute-force attacks or unauthorized access attempts. The audit option causes pam_faillock to send information about failed attempts to the audit log.

Check → Remediate

Checkconfig_value
path:
/etc/security/faillock.conf
key:
audit
Remediateconfig_append
path:
/etc/security/faillock.conf
line:
audit

Framework references

STIG

V-281100 / RHEL-10-500020V-258070 / RHEL-09-412045V-230342V-230343 / RHEL-08-020021

NIST 800-53

AU-2AC-7

Live verification

rhel8:checkrhel9:check
#pam#authentication#faillock#audit