5.4.2 Ensure lockout for failed password attempts is configured - system-auth auth required pam_faillock.so authfail

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Lock out users after n unsuccessful consecutive login attempts.

deny= - Number of attempts before the account is locked

unlock_time= - Time in seconds before the account is unlocked

Set the lockout number and unlock time to follow local site policy.

Rationale:

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Set password lockouts and unlock times to conform to site policy
run the following to update the system-auth and password-auth files. This script will update/add the deny=5 and unlock_time=900 options.
This script should be modified as needed to follow local site policy.

CP=$(authselect current | awk 'NR == 1 {print $3}' | grep custom/)
for FN in system-auth password-auth; do
[[ -n $CP ]] && PTF=/etc/authselect/$CP/$FN || PTF=/etc/authselect/$FN
[[ -n $(grep -E '^s*auths+requireds+pam_faillock.sos+.*deny=S+s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/deny=S+/deny=5/g' $PTF || sed -ri 's/^^s*(auths+requireds+pam_faillock.sos+)(.*[^{}])({.*}|)$/12 deny=5 3/' $PTF
[[ -n $(grep -E '^s*auths+requireds+pam_faillock.sos+.*unlock_time=S+s*.*$' $PTF) ]] && sed -ri '/pam_faillock.so/s/unlock_time=S+/unlock_time=900/g' $PTF || sed -ri 's/^s*(auths+requireds+pam_faillock.sos+)(.*[^{}])({.*}|)$/12 unlock_time=900 3/' $PTF
done
authselect apply-changes

Additional Information:

Additional module options may be set, recommendation only covers those listed here.

If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so module, the user can be unlocked by issuing the command faillock -u --reset. This command sets the failed count to 0, effectively unlocking the user.

Use of the 'audit' keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.

See Also

https://workbench.cisecurity.org/files/3379