Skip to content

Account Lockouts Must Be Logged

An XCCDF Rule

Description

PAM faillock locks an account due to excessive password failures, this event must be logged.

Rationale

Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.

ID
xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_audit
Severity
Medium
References
Updated



Remediation - Ansible

- name: Account Lockouts Must Be Logged - Check if system relies on authselect tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  tags:
  - NIST-800-53-AC-7 (a)

Remediation - Shell Script


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.