NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

An XCCDF Rule

Description

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214

ID: SV-268081r1039549_rule
Version: ANIX-00-000040
Severity: Medium
References: CCI-000044 CCI-000172 CCI-002238
Updated: about 2 months ago

Remediation Templates

Configure NixOS to lock an account when three unsuccessful login attempts occur within 15 minutes. 

Modify /etc/nixos/configuration.nix to include the following lines:

 security.pam.services = let pamfile = ''
  auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0  auth sufficient pam_unix.so nullok try_first_pass
  auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0
  auth sufficient pam_faillock.so authsucc

  account required pam_faillock.so
 '';
 in {
  login.text = pkgs.lib.mkDefault pamfile;
  sshd.text = pkgs.lib.mkDefault pamfile;
 };

Note that the entire pam file must be entered as this pamfile string.

Rebuild the NixOS configuration with the following command:

$ sudo nixos-rebuild switch

NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.

Description

Remediation Templates

A Manual Procedure