RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

An XCCDF Rule

Details
Profiles

Description

By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005

ID: SV-258056r1045143_rule
Version: RHEL-09-411085
Severity: Medium
References: CCI-000044 CCI-002238
Updated: about 2 months ago

Remediation Templates

To configure RHEL 9 to lock out the "root" account after a number of incorrect logon attempts within 15 minutes using "pam_faillock.so", enable the feature using the following command:
 
$ sudo authselect enable-feature with-faillock  

Then edit the "/etc/security/faillock.conf" file as follows:

fail_interval = 900

RHEL 9 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.

Description

Remediation Templates

A Manual Procedure