Lock Accounts After Failed Password Attempts
An XCCDF Rule
Description
This rule configures the system to lock out accounts after a number of incorrect login attempts usingpam_faillock.so
.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected.
Ensure that the file /etc/security/faillock.conf
contains the following entry:
deny = <count>
Where count should be less than or equal to
authselect
or authconfig
,
depending on the OS version.
warning alert: Warning
If the system relies on
authselect
tool to manage PAM settings, the remediation
will also use authselect
tool. However, if any manual modification was made in
PAM files, the authselect
integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf
file, the pam_faillock
parameters should be defined in faillock.conf
file.Rationale
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.
- ID
- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny
- Severity
- Medium
- References
- Updated
Remediation Templates
An Ansible Snippet
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CJIS-5.5.3
- DISA-STIG-OL08-00-020010
A Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_accounts_passwords_pam_faillock_deny='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_deny" use="legacy"/>'
if [ -f /usr/bin/authselect ]; then