CCE-95704-3Platform: cpe:/o:ubuntu:ubuntu_linux:16.04, cpe:/o:ubuntu:ubuntu_linux:18.04, cpe:/o:ubuntu:ubuntu_linux:20.04, cpe:/o:ubuntu:ubuntu_linux:22.04, cpe:/o:ubuntu:ubuntu_linux:23.04 | Date: (C)2021-07-19 (M)2023-09-01 |
Monitor login and logout events. The parameters below track changes to files associated with login/logout events. The file /var/log/faillog tracks failed events from login. The file /var/log/lastlog maintain records of the last time a user successfully logged in. The file /var/log/tallylog maintains records of failures via the pam_tally2 module
Rationale:
Monitoring login/logout events could provide a system administrator with information
associated with brute force attacks against user logins.
Fix:
Edit the /etc/audit/audit.rules file to include the following lines:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
Parameter:
[yes/no]
Technical Mechanism:
Edit the /etc/audit/audit.rules file to include the following lines:
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
CCSS Severity: | CCSS Metrics: |
CCSS Score : 5.9 | Attack Vector: LOCAL |
Exploit Score: 2.5 | Attack Complexity: LOW |
Impact Score: 3.4 | Privileges Required: NONE |
Severity: MEDIUM | User Interaction: NONE |
Vector: AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | Scope: UNCHANGED |
| Confidentiality: LOW |
| Integrity: LOW |
| Availability: LOW |
| |
References: Resource Id | Reference |
---|
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:85281 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73979 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73980 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:92235 |
SCAP Repo OVAL Definition | oval:org.secpod.oval:def:73981 |