Prisma Cloud Compute Alert On "(CIS_Amazon_Linux2_1.0.0 - 4.1.8) Ensure login and logout events are collected"

Prisma Cloud Compute Alert On "(CIS_Amazon_Linux2_1.0.0 - 4.1.8) Ensure login and logout events are collected"

2053
Created On 06/20/24 06:43 AM - Last Modified 11/01/24 19:01 PM


Symptom


  • It happens quite often when this control "(CIS_Amazon_Linux2_1.0.0 - 4.1.8) Ensure login and logout events are collected" partially fixed and missing some lines, therefore the alert is still triggered.


 

Environment


  • Prisma Cloud
  • Prisma Cloud Compute

Cause


  • This is because "audits.rule" is not complete.

Resolution


  • Please add below lines to the file: /etc/audit/audit.rules 
  • -w /var/log/tallylog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /var/log/lastlog -p wa -k logins
  • Then restart auditd service using command below:
  • #pkill -P 1-HUP auditd
  • Then wait the next scan to see if the detection is gone.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000TosYCAS&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language