5.3.2 Ensure lockout for failed password attempts is configured - system-auth

Information

Lock out users after n unsuccessful consecutive login attempts.

These settings are commonly configured with the pam_faillock.so module. Some environments may continue using the pam_tally2.so module, where this older method may simplify automation in mixed environments.

Set the lockout number in deny= to the policy in effect at your site.

unlock_time=_n_ is the number of seconds the account remains locked after the number of attempts configured in deny=_n_ has been met.

Notes:

Additional module options may be set, recommendation only covers those listed here.

When modifying authentication configuration using the authconfig utility, the system-auth and password-auth files are overwritten with the settings from the authconfig utility. This can be avoided by creating symbolic links in place of the configuration files, which authconfig recognizes and does not overwrite. These symbolic links are the default for Fedora 19 derived distributions.

Use of the 'audit' keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.

If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so or the pam_tally2.so module, the user can be unlocked by issuing following commands. This command sets the failed count to 0, effectively unlocking the user.

If pam_faillock.so is used:

# faillock --user <username> --reset

If pam_tally2.so is used:

# pam_tally2 -u <username> --reset




Rationale:

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth and add the following lines:
Modify the deny= and unlock_time= parameters to conform to local site policy, Not to be greater than deny=5
To use pam_faillock.so module, add the following lines to the auth section:

auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900

The auth sections should look similar to the following example:
Note: The ordering on the lines in the auth section is important. The preauth line needs to below the line auth required pam_env.so and above all password validation lines. The authfail line needs to be after all password validation lines. Incorrect order can cause you to be locked out of the system
Example:

auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 # <- Under 'auth required pam_env.so'
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 # <- Last auth line before 'auth requisite pam_succeed_if.so'
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

Add the following line to the account section:

account required pam_faillock.so

Example:

account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

OR
To use the pam_tally2.so module, add the following line to the auth section:




auth required pam_tally2.so deny=5 onerr=fail unlock_time=900

The auth sections should look similar to the following example:
Note: The ordering on the lines in the auth section is important. the additional line needs to below the line auth required pam_env.so and above all password validation lines.
Example:

auth required pam_env.so
auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 # <- Under 'auth required pam_env.so'
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

Add the following line to the account section:

account required pam_tally2.so

Example:

account required pam_tally2.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

References:

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide

See Also

https://workbench.cisecurity.org/files/2948

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7., 800-53|AC-7b., CSCv7|16.7

Plugin: Unix

Control ID: 2af2a27871333b781a2d37626bc0b11dcaa201dc7b5d1775cdc1b1e46e7cf3f8