Detections
Analytics

5.5.2 Ensure lockout for failed password attempts is configured - <= 8.1 deny

Information

Lock out users after n unsuccessful consecutive login attempts.

deny=<n> - Number of attempts before the account is locked

unlock_time=<n> - Time in seconds before the account is unlocked

Note: The maximum configurable value for unlock_time is 604800

Rationale:

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Set password lockouts and unlock times to conform to site policy. deny should be not greater than 5 and unlock_time should be 0 (never), or 900 seconds or greater.

Depending on the version you are running, follow one of the two methods bellow.

Versions 8.2 and later:

Edit /etc/security/faillock.conf and update or add the following lines:

deny = 5
unlock_time = 900

Versions 8.0 and 8.1:

Run the following script to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options.

This script should be modified as needed to follow local site policy.

#!/usr/bin/env bash

for fn in system-auth password-auth; do
 file='/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$fn'
 if grep -Pq -- '^h*authh+requiredh+pam_faillock.so(h+[^#
r]+)?h+deny=(0|[6-9]|[1-9][0-9]+)b.*$' '$file'; then
 sed -ri '/pam_faillock.so/s/deny=S+/deny=5/g' '$file'
 elif ! grep -Pq -- '^h*authh+requiredh+pam_faillock.so(h+[^#
r]+)?h+deny=d*b.*$' '$file'; then
 sed -r 's/^s*(auths+requireds+pam_faillock.sos+)([^{}#
r]+)?s*({.*})?(.*)$/123 deny=5 4/' $file
 fi
 if grep -P -- '^h*(authh+requiredh+pam_faillock.soh+)([^#
r]+)?h+unlock_time=([1-9]|[1-9][0-9]|[1-8][0-9][0-9])b.*$' '$file'; then
 sed -ri '/pam_faillock.so/s/unlock_time=S+/unlock_time=900/g' '$file'
 elif ! grep -Pq -- '^h*authh+requiredh+pam_faillock.so(h+[^#
r]+)?h+unlock_time=d*b.*$' '$file'; then
 sed -ri 's/^s*(auths+requireds+pam_faillock.sos+)([^{}#
r]+)?s*({.*})?(.*)$/123 unlock_time=900 4/' '$file'
 fi
done
authselect apply-changes

Default Value:

deny = 3

unlock_time = 600

Additional Information:

Additional module options may be set, recommendation only covers those listed here.

If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so module, the user can be unlocked by issuing the command faillock --user <USERNAME> --reset. This command sets the failed count to 0, effectively unlocking the user.

Use of the 'audit' keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.

See Also

https://workbench.cisecurity.org/files/3742

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), CSCv7|16.7

Plugin: Unix

Control ID: 6150a23104afed3dbf3c8f72612265a5b255f9ea956f7278870019035a6f017b