Account Lockouts Must Persist

An XCCDF Rule

Details
Profiles
Prose

Description

By setting a `dir` in the faillock configuration account lockouts will persist across reboots.

warning alert: Warning

This rule is deprecated in favor of the accounts_passwords_pam_faillock_dir rule.Please consider replacing this rule in your files as it is not expected to receive updates as of version 0.1.65.

Rationale

Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.

ID: xccdf_org.ssgproject.content_rule_account_passwords_pam_faillock_dir
Severity: Medium
References: CCI-000044

AC-7 (ia)
Updated: about 1 year ago