auditd faillock failed CIS RHEL 8 Benchmark v2.0.0, released 2022-02-23.

tom-krieger / cis_security_hardening

Define a complete security baseline and monitor the baseline's rules. The definition of the baseline should be done in Hiera. The purpose of the module is to give the ability to setup a complete security baseline which not necessarily have to stick to industry security guides like the CIS benchmarks.

Apache License 2.0

15 stars 10 forks source link

auditd faillock failed CIS RHEL 8 Benchmark v2.0.0, released 2022-02-23. #51

Closed warrenbel closed 1 year ago

warrenbel commented 1 year ago

I ran OpenSCAP with profile CIS Red Hat Enterprise Linux 8 Benchmark for Level 2 - Server Red Hat Enterprise Linux 8 Benchmark™, v2.0.0, released 2022-02-23.

auditd items missing: -w /var/log/faillock -p wa -k logins

tom-krieger commented 1 year ago

Hi,

I looked into the CIS RedHat 8 Benchmark v 2.0.0 and found the following:

4.1.3.12 Ensure login and logout events are collected (Automated) Profile Applicability: • Level 2 - Server • Level 2 - Workstation Description: Monitor login and logout events. The parameters below track changes to files associated with login/logout events. • /var/log/lastlog - maintain records of the last time a user successfully logged in. • /var/run/faillock - directory maintains records of login failures via the pam_faillock module.

It's /var/run/faillock. Is /var/run/faillock missng?

warrenbel commented 1 year ago

the missing is /var/log/faillock

But right, the CIS RedHat 8 Benchmark v 2.0.0 document shows /var/run/faillock,

The STIG document looks updated to /var/log/. I will look into this. It might be the CIS document is not updated,

Thanks, Warren

tom-krieger commented 1 year ago

I add auditd rules for both, /var/log/faillock and /var/run/faillock. Should not harm. Will be in release 0.8.2.