Set Lockout Time for Failed Password Attempts
An XCCDF Rule
Description
This rule configures the system to lock out accounts during a specified time period after a
number of incorrect login attempts using pam_faillock.so
.
Ensure that the file /etc/security/faillock.conf
contains the following entry:
unlock_time=<interval-in-seconds>
where
interval-in-seconds
is
or greater.
pam_faillock.so module requires multiple entries in pam files. These entries must be carefully
defined to work as expected. In order to avoid any errors when manually editing these files,
it is recommended to use the appropriate tools, such as authselect
or authconfig
,
depending on the OS version.
If unlock_time
is set to 0
, manual intervention by an administrator is required
to unlock a user. This should be done using the faillock
tool.
warning alert: Warning
/etc/security/faillock.conf
file but the
pam_faillock.so parameters are defined directly in /etc/pam.d/system-auth
and
/etc/pam.d/password-auth
, the remediation will migrate the unlock_time
parameter
to /etc/security/faillock.conf
to ensure compatibility with authselect
tool.
The parameters deny
and fail_interval
, if used, also have to be migrated
by their respective remediation.warning alert: Warning
authselect
tool to manage PAM settings, the remediation
will also use authselect
tool. However, if any manual modification was made in
PAM files, the authselect
integrity check will fail and the remediation will be
aborted in order to preserve intentional changes. In this case, an informative message will
be shown in the remediation report.
If the system supports the /etc/security/faillock.conf
file, the pam_faillock
parameters should be defined in faillock.conf
file.Rationale
By limiting the number of failed logon attempts the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
- ID
- xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_unlock_time
- Severity
- Medium
- References
- Updated
Remediation - Ansible
- name: Gather the package facts
package_facts:
manager: auto
tags:
- CCE-80670-3
- CJIS-5.5.3
Remediation - Shell Script
# Remediation is applicable only in certain platforms
if rpm --quiet -q pam; then
var_accounts_passwords_pam_faillock_unlock_time='<xccdf-1.2:sub xmlns:xccdf-1.2="http://checklists.nist.gov/xccdf/1.2" idref="xccdf_org.ssgproject.content_value_var_accounts_passwords_pam_faillock_unlock_time" use="legacy"/>'