Linux Security: `Ensure login and logout events are collected` fails on Debian about cnspec-policies HOT 3 CLOSED

You mean /var/run/faillog, right?

from cnspec-policies.

What Debian are you on @tas50 ?
Could not reproduce the issue on vagrant/debian9:

root@stretch:/etc/audit/rules.d# /etc/init.d/auditd restart
[ ok ] Restarting auditd (via systemctl): auditd.service.
root@stretch:/etc/audit/rules.d# cd ..
root@stretch:/etc/audit# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/log/faillog -p wa -k logins
--backlog_wait_time 0

Generally speaking this looks more like an OS issue to me.
When hardening my Ubuntu 22.04, I also ran into problems with configuring audit correctly.

It is super finicky and I think having one wrong character in an unrelated rule led to failing to add and/or update other files from the rules.d/ folder when generating the audit.rules. I ended up adding the rules in different files in the rules.d/ directory with a few blocks each in them and then regenerating the audit.rules file until I found the file and subsequently the line that caused the issue.

Also there is another hardening control, that only allows changes to the audit.rules when rebooting. So maybe that is why it's happening for you?

from cnspec-policies.

@mm-weber this is an openmediavault system which is Debian 11 + a few extra repos.

from cnspec-policies.