Skip to content

Account Lockouts Must Be Logged

An XCCDF Rule

Description

PAM faillock locks an account due to excessive password failures, this event must be logged.

warning alert: Warning

This rule is deprecated in favor of the accounts_passwords_pam_faillock_audit rule.Please consider replacing this rule in your files as it is not expected to receive updates as of version 0.1.65.

Rationale

Without auditing of these events it may be harder or impossible to identify what an attacker did after an attack.

ID
xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_audit
Severity
Medium
References
Updated



Remediation - Ansible

- name: Account Lockouts Must Be Logged - Check if system relies on authselect tool
  ansible.builtin.stat:
    path: /usr/bin/authselect
  register: result_authselect_present
  tags:
  - CCE-86107-0

Remediation - Shell Script


if [ -f /usr/bin/authselect ]; then
    if ! authselect check; then
echo "
authselect integrity check failed. Remediation aborted!
This remediation could not be applied because an authselect profile was not selected or the selected profile is not intact.