auditd 5.2.3.12 logins should refer to /var/run/faillock #115

kdebisschop · 2023-11-16T14:14:04Z

Describe the Issue
In templates/audit/ubtu20cis_5_2_3_12_logins.rules.j2, auditd 5.2.3.12 logins should refer to /var/run/faillock and not /var/log/faillock.

From CIS:

Verify the output matches:

-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock -p wa -k logins

From man pam_faillockK

FILES
/var/run/faillock/*
the files logging the authentication failures for users

Expected Behavior
The audit rules should match the specification of the CIS controls and should pass scans by other software (e.g., Wazuh SIEM)

Actual Behavior
The current rule does not reflect the CIS control or the behavior of pam_faillock

Control(s) Affected

5.2.3.12

Environment (please complete the following information):

branch being used: devel
Ansible Version: 2.5.16
Host Python Version: 3.12.0
Ansible Server Python Version: [e.g. Python 3.7.6]
Additional Details:

Additional Notes
Anything additional goes here

Possible Solution
See #114

kdebisschop added the bug Something isn't working label Nov 16, 2023

kdebisschop mentioned this issue Nov 16, 2023

auditd 5.2.3.12 logins should refer to /var/run/faillock #114

Merged

uk-bolly closed this as completed in #114 Nov 21, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

auditd 5.2.3.12 logins should refer to /var/run/faillock #115

auditd 5.2.3.12 logins should refer to /var/run/faillock #115

kdebisschop commented Nov 16, 2023

auditd 5.2.3.12 logins should refer to /var/run/faillock #115

auditd 5.2.3.12 logins should refer to /var/run/faillock #115

Comments

kdebisschop commented Nov 16, 2023