Set Lockouts for Failed Password Attempts

An XCCDF Group

Details
Profiles
Prose

Description

The pam_faillock PAM module provides the capability to lock out user accounts after a number of failed login attempts. Its documentation is available in /usr/share/doc/pam-VERSION/txts/README.pam_faillock.

warning alert: Warning

Locking out user accounts presents the risk of a denial-of-service attack. The lockout policy must weigh whether the risk of such a denial-of-service attack outweighs the benefits of thwarting password guessing attacks.

ID: xccdf_org.ssgproject.content_group_locking_out_password_attempts
Child Items: 12
Updated: about 1 year ago