InformationThe operating system must be configured to lock accounts for a minimum of 15 minutes after three unsuccessful logon attempts within a 15-minute timeframe.
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005
SolutionConfigure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.
Add/Modify the appropriate sections of the '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' files to match the following lines:
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
account required pam_faillock.so
Note: Manual changes to the listed files may be overwritten by the 'authconfig' program. The 'authconfig' program should not be used to update the configurations listed in this requirement.