Red Hat Enterprise Linux 9 • Release: 7 Benchmark Date: 05 Jan 2026
CAT II V-258070 RHEL-09-412045
RHEL 9 must log username information when unsuccessful logon attempts occur.
Discussion
Without auditing of these events, it may be harder or impossible to identify what an attacker did after an attack.
Check Procedure
Verify the "/etc/security/faillock.conf" file is configured to log username information when unsuccessful logon attempts occur with the following command: $ sudo grep audit /etc/security/faillock.conf audit If the "audit" option is not set, is missing, or is commented out, this is a finding.
Fix Action
Configure RHEL 9 to log username information when unsuccessful logon attempts occur. Enable the feature using the following command: $ sudo authselect enable-feature with-faillock Add/modify the "/etc/security/faillock.conf" file to match the following line: audit