Configure the root Account for Failed Password Attempts
An XCCDF Rule
Description
This rule configures the system to lock out the root
account after a number of
incorrect login attempts using pam_faillock.so
.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid errors when manually editing these files, it is
recommended to use the appropriate tools, such as authselect
or authconfig
,
depending on the OS version.
warning alert: Warning
If the system relies on
authselect
tool to manage PAM settings, the remediation
will also use authselect
tool. However, if any manual modification was made in
PAM files, the authselect
integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf
file, the pam_faillock
parameters should be defined in faillock.conf
file.Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
- ID
- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny_root
- Severity
- Medium
- References
- Updated
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
if [ -f /usr/bin/authselect ]; then
if ! authselect check; then
echo "
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- NIST-800-53-AC-7(b)
- NIST-800-53-CM-6(a)