{"description": "To configure the system to notify users of last logon/access using <tt>pam_lastlog</tt>,\nadd or correct the <tt>pam_lastlog</tt> settings in <tt>/etc/pam.d/login</tt>\nto include <tt>showfailed</tt> option, such as:\n<pre>session     required    pam_lastlog.so showfailed</pre>\nAnd make sure that the <tt>silent</tt> option is not set for this specific line.", "rationale": "Users need to be aware of activity that occurs regarding their account. Providing users with\ninformation regarding the number of unsuccessful attempts that were made to login to their\naccount allows the user to determine if any unauthorized activity has occurred and gives them\nan opportunity to notify administrators.", "severity": "low", "references": {"cis-csc": ["1", "12", "15", "16"], "cjis": ["5.5.2"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["AC-9", "AC-9(1)"], "nist-csf": ["PR.AC-7"], "pcidss": ["Req-10.2.4"], "srg": ["SRG-OS-000480-GPOS-00227"], "pcidss4": ["10.2.1.4", "10.2.1", "10.2"]}, "control_references": {"pcidss4": ["10.2.1.4", "10.2.1", "10.2"]}, "components": [], "identifiers": {}, "ocil_clause": "\"pam_lastlog.so\" is not properly configured in \"/etc/pam.d/login\" file", "ocil": "Verify users are provided with feedback on when account accesses last occurred with the following command:\n\n<pre>$ sudo grep pam_lastlog /etc/pam.d/login\n\nsession required pam_lastlog.so showfailed</pre>", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/login\".\n\nAdd the following line to the top of \"/etc/pam.d/login\":\n\nsession required pam_lastlog.so showfailed", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must display the date and time of the last successful account logon upon logon.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report."}, {"general": "<tt>authselect</tt> contains an authselect feature to easily and properly enable Last Logon\nnotifications with <tt>pam_lastlog.so</tt> module. If a custom profile was created and used\nin the system before this authselect feature was available, the new feature can't be used\nwith this custom profile and the remediation will fail. In this case, the custom profile\nshould be recreated or manually updated."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must display the date and time of the last successful account logon upon logon.", "vuldiscussion": "Users need to be aware of activity that occurs regarding their account. Providing users with information regarding the number of unsuccessful attempts that were made to login to their account allows the user to determine if any unauthorized activity has occurred and gives them an opportunity to notify administrators.", "checktext": "Verify users are provided with feedback on when account accesses last occurred with the following command:\n\n$ sudo grep pam_lastlog /etc/pam.d/postlogin\n\nsession required pam_lastlog.so showfailed\n\nIf \"pam_lastlog\" is missing from \"/etc/pam.d/postlogin\" file, or the silent option is present, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to provide users with feedback on when account accesses last occurred by setting the required configuration options in \"/etc/pam.d/postlogin\".\n\nAdd the following line to the top of \"/etc/pam.d/postlogin\":\n\nsession required pam_lastlog.so showfailed"}}, "platform": "package[pam] and system_with_kernel", "platforms": ["package[pam] and system_with_kernel"], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": ["package_pam_and_system_with_kernel"], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Ensure PAM Displays Last Logon/Access Notification", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/display_login_attempts/rule.yml", "template": null}