RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

An XCCDF Rule

Details
Profiles

Description

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

ID: SV-258055r1045140_rule
Version: RHEL-09-411080
Severity: Medium
References: CCI-000044 CCI-002238
Updated: about 2 months ago

Remediation Templates

To configure RHEL 9 to lock out the "root" account after a number of incorrect logon attempts using "pam_faillock.so", first enable the feature using the following command:
 
$ sudo authselect enable-feature with-faillock  

Edit the "/etc/security/faillock.conf" by uncommenting or adding the following line:
 
even_deny_root

RHEL 9 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.

Description

Remediation Templates

A Manual Procedure