{"description": "The audit system already collects login information for all users\nand root.\n\n\n\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>augenrules</tt>\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix <tt>.rules</tt> in the\ndirectory <tt>/etc/audit/rules.d</tt>:\n\n<pre>-w <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /> -p wa -k logins</pre>\n\nIf the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>\nutility to read audit rules during daemon startup, add the following lines to\n<tt>/etc/audit/audit.rules</tt>:\n\n<pre>-w <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /> -p wa -k logins</pre>", "rationale": "Manual editing of these files may indicate nefarious activity, such\nas an attacker attempting to remove evidence of an intrusion.", "severity": "medium", "references": {"cis-csc": ["1", "11", "12", "13", "14", "15", "16", "19", "2", "3", "4", "5", "6", "7", "8", "9"], "cobit5": ["APO10.01", "APO10.03", "APO10.04", "APO10.05", "APO11.04", "APO12.06", "APO13.01", "BAI03.05", "BAI08.02", "DSS01.03", "DSS01.04", "DSS02.02", "DSS02.04", "DSS02.07", "DSS03.01", "DSS03.05", "DSS05.02", "DSS05.03", "DSS05.04", "DSS05.05", "DSS05.07", "MEA01.01", "MEA01.02", "MEA01.03", "MEA01.04", "MEA01.05", "MEA02.01"], "cui": ["3.1.7"], "hipaa": ["164.308(a)(1)(ii)(D)", "164.308(a)(3)(ii)(A)", "164.308(a)(5)(ii)(C)", "164.312(a)(2)(i)", "164.312(b)", "164.312(d)", "164.312(e)"], "isa-62443-2009": ["4.2.3.10", "4.3.2.6.7", "4.3.3.3.9", "4.3.3.5.8", "4.3.3.6.6", "4.3.4.4.7", "4.3.4.5.6", "4.3.4.5.7", "4.3.4.5.8", "4.4.2.1", "4.4.2.2", "4.4.2.4"], "isa-62443-2013": ["SR 1.13", "SR 2.10", "SR 2.11", "SR 2.12", "SR 2.6", "SR 2.8", "SR 2.9", "SR 3.1", "SR 3.5", "SR 3.8", "SR 4.1", "SR 4.3", "SR 5.1", "SR 5.2", "SR 5.3", "SR 6.1", "SR 6.2", "SR 7.1", "SR 7.6"], "iso27001-2013": ["A.11.2.6", "A.12.4.1", "A.12.4.2", "A.12.4.3", "A.12.4.4", "A.12.7.1", "A.13.1.1", "A.13.2.1", "A.14.1.3", "A.14.2.7", "A.15.2.1", "A.15.2.2", "A.16.1.4", "A.16.1.5", "A.16.1.7", "A.6.2.1", "A.6.2.2"], "nist": ["AU-2(d)", "AU-12(c)", "AC-6(9)", "CM-6(a)"], "nist-csf": ["DE.AE-3", "DE.AE-5", "DE.CM-1", "DE.CM-3", "DE.CM-7", "ID.SC-4", "PR.AC-3", "PR.PT-1", "PR.PT-4", "RS.AN-1", "RS.AN-4"], "pcidss": ["Req-10.2.3"], "srg": ["SRG-OS-000392-GPOS-00172", "SRG-OS-000470-GPOS-00214", "SRG-OS-000473-GPOS-00218", "SRG-APP-000503-CTR-001275", "SRG-APP-000506-CTR-001290"], "anssi": ["R73"], "cis": ["6.3.3.12"], "ism": ["0582"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"]}, "control_references": {"anssi": ["R73"], "cis": ["6.3.3.12"], "ism": ["0582"], "pcidss4": ["10.2.1.3", "10.2.1", "10.2"]}, "components": [], "identifiers": {}, "ocil_clause": "the command does not return a line, or the line is commented out", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"<sub idref=\"var_accounts_passwords_pam_faillock_dir\" />\" with the following command:\n\n$ sudo auditctl -l | grep <sub idref=\"var_accounts_passwords_pam_faillock_dir\" />\n\n-w <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /> -p wa -k logins", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that <tt>\"<sub idref=\"var_accounts_passwords_pam_faillock_dir\" />\"</tt>.\n\nAdd or update the following file system rule to <tt>\"/etc/audit/rules.d/audit.rules\"</tt>:\n\n-w <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /> -p wa -k logins\n\n\nThe audit daemon must be restarted for the changes to take effect.", "checktext": "", "vuldiscussion": "", "srg_requirement": " Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect <sub idref=\"var_accounts_passwords_pam_faillock_dir\" />.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/faillock.", "vuldiscussion": "Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one.", "checktext": "Verify Ubuntu 22.04 generates audit records for all account creations, modifications, disabling, and termination events that affect \"/var/log/faillock\" with the following command:\n\n$ sudo auditctl -l | grep /var/log/faillock\n\n-a always,exit -F arch=b32 -F path=/var/log/faillock -F perm=wa -F key=identity\n-a always,exit -F arch=b64 -F path=/var/log/faillock -F perm=wa -F key=identity\n\n\nIf the command does not return a line, or the line is commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to generate audit records for all account creations, modifications, disabling, and termination events that affect \"/var/log/faillock\".\n\nAdd or update the following file system rule to \"/etc/audit/rules.d/audit.rules\":\n\n-a always,exit -F arch=b32 -F path=/var/log/faillock -F perm=wa -F key=identity\n-a always,exit -F arch=b64 -F path=/var/log/faillock -F perm=wa -F key=identity\n\nThe audit daemon must be restarted for the changes to take effect."}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel", "package_audit"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to Alter Logon and Logout Events - faillock", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "var_accounts_passwords_pam_faillock_dir", "path_is_variable": "true", "key": "logins"}, "backends": {}}}