ComplianceAsCode · dahaic · Aug 30, 2018 · Aug 30, 2018 · Aug 30, 2018
diff --git a/...stem/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml b/...stem/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events/rule.yml
@@ -10,14 +10,14 @@ description: |-
     directory <tt>/etc/audit/rules.d</tt> in order to watch for attempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w /var/run/faillock/ -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
     If the <tt>auditd</tt> daemon is configured to use the <tt>auditctl</tt>
     utility to read audit rules during daemon startup, add the following lines to
     <tt>/etc/audit/audit.rules</tt> file in order to watch for unattempted manual
     edits of files involved in storing logon events:
     <pre>-w /var/log/tallylog -p wa -k logins
-    -w /var/run/faillock/ -p wa -k logins
+    -w /var/run/faillock -p wa -k logins
     -w /var/log/lastlog -p wa -k logins</pre>
 
 rationale: |-

@@ -3,7 +3,5 @@
 # remediation = bash
 
 echo "-w /var/log/tallylog -p wa -k logins" >> /etc/audit/rules.d/logins.rules
-echo "-w /var/run/faillock/ -p wa -k logins" >> /etc/audit/rules.d/logins.rules
+echo "-w /var/run/faillock -p wa -k logins" >> /etc/audit/rules.d/logins.rules
 echo "-w /var/log/lastlog -p wa -k logins" >> /etc/audit/rules.d/logins.rules
-
-cat /etc/audit/rules.d/logins.rules