{"description": "The audit system already collects login information for all users\nand root.\n\n\n\n\nIf the auditd daemon is configured to use the augenrules\nprogram to read audit rules during daemon startup (the default), add the\nfollowing lines to a file with suffix .rules in the\ndirectory /etc/audit/rules.d:\n\n-w /var/log/faillog -p wa -k logins
\n\nIf the auditd daemon is configured to use the auditctl\nutility to read audit rules during daemon startup, add the following lines to\n/etc/audit/audit.rules:\n\n-w /var/log/faillog -p wa -k logins
", "rationale": "Manual editing of these files may indicate nefarious activity, such\nas an attacker attempting to remove evidence of an intrusion.", "severity": "medium", "references": {"srg": ["SRG-OS-000037-GPOS-00015"], "stigid": ["UBTU-22-654210"], "stigref": ["SV-260644r958446_rule"]}, "control_references": {"stigid": ["UBTU-22-654210"]}, "components": [], "identifiers": {}, "ocil_clause": "there is no output", "ocil": "\nVerify Ubuntu 22.04 generates audit records for all events that affect \"/var/log/faillog\" with the following command:\n\n$ sudo auditctl -l | grep /var/log/faillog\n\n-w /var/log/faillog -p wa -k logins", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel", "package[audit]"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["package_audit", "system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Record Attempts to Alter Logon and Logout Events - faillog", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml", "template": {"name": "audit_rules_watch", "vars": {"path": "/var/log/faillog", "key": "logins"}, "backends": {}}}