{{%- if product in ['sle12', 'sle15', 'slmicro5' ] or "ubuntu" in product %}}
{{%- set pam_lastlog_path = "/etc/pam.d/login" %}}
{{%- set pam_lastlog = "pam_lastlog.so" %}}
{{%- elif product in ['sle16', 'slmicro6'] %}}
{{%- set pam_lastlog_path = "/etc/pam.d/postlogin-session" %}}
{{%- set pam_lastlog = "pam_lastlog2.so" %}}
{{%- else %}}
{{%- set pam_lastlog_path = "/etc/pam.d/postlogin" %}}
{{%- set pam_lastlog = "pam_lastlog.so" %}}
{{%- endif %}}
{{%- if "ol" in families or "slmicro" in product or "ubuntu" in product %}}
{{%- set control = "required" %}}
{{%- elif "sle" in product %}}
{{%- set control = "optional" %}}
{{%- else %}}
{{%- set control = "[default=1]" %}}
{{%- endif %}}
documentation_complete: true
title: 'Ensure PAM Displays Last Logon/Access Notification'
description: |-
To configure the system to notify users of last logon/access using pam_lastlog,
add or correct the pam_lastlog settings in {{{ pam_lastlog_path }}}
to include showfailed option, such as:
session {{{ control }}} {{{ pam_lastlog }}} showfailed
And make sure that the silent option is not set for this specific line.
rationale: |-
Users need to be aware of activity that occurs regarding their account. Providing users with
information regarding the number of unsuccessful attempts that were made to login to their
account allows the user to determine if any unauthorized activity has occurred and gives them
an opportunity to notify administrators.
severity: low
identifiers:
cce@rhel8: CCE-80788-3
cce@rhel9: CCE-83560-3
cce@rhel10: CCE-88650-7
cce@sle12: CCE-83149-5
cce@sle15: CCE-85560-1
cce@sle16: CCE-95704-3
cce@slmicro5: CCE-93730-0
cce@slmicro6: CCE-95037-8
references:
cis-csc: 1,12,15,16
cjis: 5.5.2
cobit5: DSS05.04,DSS05.10,DSS06.10
isa-62443-2009: 4.3.3.6.1,4.3.3.6.2,4.3.3.6.3,4.3.3.6.4,4.3.3.6.5,4.3.3.6.6,4.3.3.6.7,4.3.3.6.8,4.3.3.6.9
isa-62443-2013: 'SR 1.1,SR 1.10,SR 1.2,SR 1.5,SR 1.7,SR 1.8,SR 1.9'
iso27001-2013: A.18.1.4,A.9.2.1,A.9.2.4,A.9.3.1,A.9.4.2,A.9.4.3
nist: AC-9,AC-9(1)
nist-csf: PR.AC-7
pcidss: Req-10.2.4
srg: SRG-OS-000480-GPOS-00227
stigid@ol7: OL07-00-040530
stigid@ol8: OL08-00-020340
stigid@sle12: SLES-12-010390
stigid@sle15: SLES-15-020080
platform: package[pam] and system_with_kernel
ocil_clause: '"{{{ pam_lastlog }}}" is not properly configured in "{{{ pam_lastlog_path }}}" file'
ocil: |-
Verify users are provided with feedback on when account accesses last occurred with the following command:
$ sudo grep pam_lastlog {{{ pam_lastlog_path }}}
session {{{ control }}} {{{ pam_lastlog }}} showfailed
fixtext: |-
Configure {{{ full_name }}} to provide users with feedback on when account accesses last occurred by setting the required configuration options in "{{{ pam_lastlog_path }}}".
Add the following line to the top of "{{{ pam_lastlog_path }}}":
session {{{ control }}} {{{ pam_lastlog }}} showfailed
srg_requirement: '{{{ full_name }}} must display the date and time of the last successful account logon upon logon.'
warnings:
- general: |-
If the system relies on authselect tool to manage PAM settings, the remediation
will also use authselect tool. However, if any manual modification was made in
PAM files, the authselect integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
- general: |-
authselect contains an authselect feature to easily and properly enable Last Logon
notifications with {{{ pam_lastlog }}} module. If a custom profile was created and used
in the system before this authselect feature was available, the new feature can't be used
with this custom profile and the remediation will fail. In this case, the custom profile
should be recreated or manually updated.