From 03983746d908c1cd518a17eed9f5eff9420d6828 Mon Sep 17 00:00:00 2001
From: Marco Fortina <marco_fortina@hotmail.it>
Date: Fri, 26 Apr 2024 17:34:16 +0200
Subject: [PATCH] Fix #11902

---
 .../audit_rules_login_events_faillock/rule.yml                | 1 +
 .../audit_rules_login_events_faillog/rule.yml                 | 1 -
 .../audit_rules_login_events_tallylog/rule.yml                | 1 -
 products/ubuntu2204/profiles/cis_level2_server.profile        | 4 ++--
 products/ubuntu2204/profiles/cis_level2_workstation.profile   | 4 ++--
 5 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
index 1f892b60375..c59e43c1e47 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillock/rule.yml
@@ -35,6 +35,7 @@ references:
     cis-csc: 1,11,12,13,14,15,16,19,2,3,4,5,6,7,8,9
     cis@sle12: 4.1.7
     cis@sle15: 4.1.7
+    cis@ubuntu2204: 4.1.3.12
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
     disa: CCI-000126,CCI-000172,CCI-002884
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
index 6801152e224..382ad45da71 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_faillog/rule.yml
@@ -31,7 +31,6 @@ references:
     cis@sle12: 4.1.7
     cis@sle15: 4.1.7
     cis@ubuntu2004: 4.1.7
-    cis@ubuntu2204: 4.1.3.12
     disa: CCI-000130,CCI-000169,CCI-000172,CCI-002884
     nist@sle12: AU-3,AU-12(a),AU-12(c),MA-4(1)(a)
     srg: SRG-OS-000037-GPOS-00015
diff --git a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
index 3e51a3aa9e2..27b07ecd5cf 100644
--- a/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
+++ b/linux_os/guide/auditing/auditd_configure_rules/audit_login_events/audit_rules_login_events_tallylog/rule.yml
@@ -36,7 +36,6 @@ references:
     cis@sle12: 4.1.7
     cis@sle15: 4.1.7
     cis@ubuntu2004: 4.1.7
-    cis@ubuntu2204: 4.1.3.12
     cobit5: APO10.01,APO10.03,APO10.04,APO10.05,APO11.04,APO12.06,APO13.01,BAI03.05,BAI08.02,DSS01.03,DSS01.04,DSS02.02,DSS02.04,DSS02.07,DSS03.01,DSS03.05,DSS05.02,DSS05.03,DSS05.04,DSS05.05,DSS05.07,MEA01.01,MEA01.02,MEA01.03,MEA01.04,MEA01.05,MEA02.01
     cui: 3.1.7
     disa: CCI-000172,CCI-002884,CCI-000126
diff --git a/products/ubuntu2204/profiles/cis_level2_server.profile b/products/ubuntu2204/profiles/cis_level2_server.profile
index 4b0dacb9352..a7128d7c24b 100644
--- a/products/ubuntu2204/profiles/cis_level2_server.profile
+++ b/products/ubuntu2204/profiles/cis_level2_server.profile
@@ -155,9 +155,9 @@ selections:
     - audit_rules_session_events
 
     #### 4.1.3.12 Ensure login and logout events are collected (Automated)
-    - audit_rules_login_events_faillog
+    - var_accounts_passwords_pam_faillock_dir=run
+    - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog
-    - audit_rules_login_events_tallylog
 
     #### 4.1.3.13 Ensure file deletion events by users are collected (Automated)
     - audit_rules_file_deletion_events_rename
diff --git a/products/ubuntu2204/profiles/cis_level2_workstation.profile b/products/ubuntu2204/profiles/cis_level2_workstation.profile
index 0fbe66e2258..210273706ca 100644
--- a/products/ubuntu2204/profiles/cis_level2_workstation.profile
+++ b/products/ubuntu2204/profiles/cis_level2_workstation.profile
@@ -167,9 +167,9 @@ selections:
     - audit_rules_session_events
 
     #### 4.1.3.12 Ensure login and logout events are collected (Automated)
-    - audit_rules_login_events_faillog
+    - var_accounts_passwords_pam_faillock_dir=run
+    - audit_rules_login_events_faillock
     - audit_rules_login_events_lastlog
-    - audit_rules_login_events_tallylog
 
     #### 4.1.3.13 Ensure file deletion events by users are collected (Automated)
     - audit_rules_file_deletion_events_rename