Navigate

Check: RHEL-09-412045

RHEL 9 STIG: RHEL-09-412045 (in version v2 r3)

Title

RHEL 9 must log username information when unsuccessful logon attempts occur. (Cat II impact)

Discussion

Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.

Check Content

Verify the "/etc/security/faillock.conf" file is configured to log username information when unsuccessful logon attempts occur with the following command: $ sudo grep audit /etc/security/faillock.conf audit If the "audit" option is not set, is missing, or is commented out, this is a finding.

Fix Text

Configure RHEL 9 to log username information when unsuccessful logon attempts occur. Enable the feature using the following command: $ sudo authselect enable-feature with-faillock Add/modify the "/etc/security/faillock.conf" file to match the following line: audit

Additional Identifiers

Rule ID: SV-258070r1045153_rule

Vulnerability ID: V-258070

Group Title: SRG-OS-000021-GPOS-00005

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.

Number	Definition
CCI-000044	Enforce the organization-defined limit of consecutive invalid logon attempts by a user during the organization-defined time period.

Controls

Controls tied to check. These are derived from the CCIs shown above.

Number	Title
AC-7	Unsuccessful Logon Attempts