Skip to content

4.1.3.12 Ensure login and logout events are collected

Audit#

On disk configuration

Run the following command to check the on disk rules: 

# awk '/^ *-w/ \
&&(/\/var\/log\/lastlog/ \
 ||/\/var\/run\/faillock/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)' /etc/audit/rules.d/*.rules

Verify the output matches: 

-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins

Running configuration

Run the following command to check loaded rules: 

# auditctl -l | awk '/^ *-w/ \
&&(/\/var\/log\/lastlog/ \
 ||/\/var\/run\/faillock/) \
&&/ +-p *wa/ \
&&(/ key= *[!-~]* *$/||/ -k *[!-~]* *$/)'

Verify the output matches: 

-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins

Remediation#

Edit or create a file in the /etc/audit/rules.d/ directory, ending in .rules extension, with the relevant rules to monitor login and logout events.

Example: 

# printf "
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins
" >> /etc/audit/rules.d/50-login.rules

Merge and load the rules into active configuration: 

# augenrules --load

Check if reboot is required. 

# if [[ $(auditctl -s | grep "enabled") =~ "2" ]]; then printf "Reboot required to load rules\n"; fi