{"description": "PAM faillock locks an account due to excessive password failures, this event must be logged.", "rationale": "Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.", "severity": "medium", "references": {"nist": ["AC-7 (a)"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"audit\" option is not set, is missing or commented out", "ocil": "Verify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep audit /etc/security/faillock.conf\n\naudit", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to log user name information when unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\naudit", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must log user name information when unsuccessful logon attempts occur.", "warnings": [{"general": "This rule is deprecated in favor of the <code>accounts_passwords_pam_faillock_audit</code> rule.Please consider replacing this rule in your files as it is not expected to receive\nupdates as of version <code>0.1.65</code>."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must log user name information when unsuccessful logon attempts occur.", "vuldiscussion": "Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.", "checktext": "Verify the \"/etc/security/faillock.conf\" file is configured to log user name information when unsuccessful logon attempts occur:\n\n$ sudo grep audit /etc/security/faillock.conf\n\naudit\n\nIf the \"audit\" option is not set, is missing or commented out, then this is a finding.", "fixtext": "Configure Ubuntu 22.04 to log user name information when unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\naudit"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Account Lockouts Must Be Logged", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_audit/rule.yml", "template": null}