STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Amazon Linux 2023 Security Technical Implementation Guide

V-274097

CAT II (Medium)

Amazon Linux 2023 must generate audit records for all account creations, modifications, disabling, and termination events that affect /var/log/lastlog.

Rule ID

SV-274097r1120279_rule

STIG

Amazon Linux 2023 Security Technical Implementation Guide

Version

V1R3

CCIs

CCI-000130, CCI-000135, CCI-000169, CCI-002884, CCI-000172

Discussion

Without generating audit records specific to the security and mission needs of the organization, it would be difficult to establish, correlate, and investigate the events relating to an incident or identify those responsible for one. Satisfies: SRG-OS-000037-GPOS-00015, SRG-OS-000042-GPOS-00020, SRG-OS-000062-GPOS-00031, SRG-OS-000392-GPOS-00172, SRG-OS-000462-GPOS-00206, SRG-OS-000471-GPOS-00215, SRG-OS-000473-GPOS-00218, SRG-OS-000470-GPOS-00214

Check Content

Verify Amazon Linux 2023 generates audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog" with the following command:

$ sudo auditctl -l | grep /var/log/lastlog
-w /var/log/lastlog -p wa -k logins

If the command does not return a line, or the line is commented out, this is a finding.

Fix Text

Configure Amazon Linux 2023 to generate audit records for all account creations, modifications, disabling, and termination events that affect "/var/log/lastlog".

Add or update the following file system rule to "/etc/audit/rules.d/audit.rules":

-w /var/log/lastlog -p wa -k logins

To load the rules to the kernel immediately, use the following command: 

$ sudo augenrules --load