RHEL 9 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
An XCCDF Rule
Description
<VulnDiscussion>If the pam_faillock.so module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-258096r1014883_rule
- Severity
- Medium
- References
- Updated
Remediation - Manual Procedure
Configure RHEL 9 to include the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.
Add/modify the appropriate sections of the "/etc/pam.d/password-auth" file to match the following lines:
Note: The "preauth" line must be listed before pam_unix.so.
auth required pam_faillock.so preauth