Navigate

Check: RHEL-09-412045

RHEL 9 STIG: RHEL-09-412045 (in versions v1 r3 through v1 r1)

Title

RHEL 9 must log username information when unsuccessful logon attempts occur. (Cat II impact)

Discussion

Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.

Check Content

Verify the "/etc/security/faillock.conf" file is configured to log username information when unsuccessful logon attempts occur with the following command: $ grep audit /etc/security/faillock.conf audit If the "audit" option is not set, is missing, or is commented out, this is a finding.

Fix Text

Configure RHEL 9 to log username information when unsuccessful logon attempts occur. Add/modify the "/etc/security/faillock.conf" file to match the following line: audit

Additional Identifiers

Rule ID: SV-258070r926197_rule

Vulnerability ID: V-258070

Group Title: SRG-OS-000021-GPOS-00005

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000044	The information system enforces the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts