Information
even_deny_root - Root account can become locked as well as regular accounts
root_unlock_time=n - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option.
Rationale:
Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.
Impact:
Use of unlock_time=0 or root_unlock_time=0 may allow an attacker to cause denial of service to legitimate users.
Solution
Edit /etc/security/faillock.conf:
Remove or update any line containing root_unlock_time, -OR- set it to a value of 60 or more
Update or add the following line:
even_deny_root
Run the following script to remove the even_deny_root and root_unlock_time arguments from the pam_faillock.so module in the PAM files:
#!/usr/bin/env bash
{
for l_pam_file in system-auth password-auth; do
l_authselect_file='/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file'
sed -ri 's/(^s*auths+(.*)s+pam_faillock.so.*)(s+even_deny_root)(.*$)/14/' '$l_authselect_file'
sed -ri 's/(^s*auths+(.*)s+pam_faillock.so.*)(s+root_unlock_times*=s*S+)(.*$)/14/' '$l_authselect_file'
done
authselect apply-changes
}
''
Default Value:
disabled
Additional Information:
If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so module, the user can be unlocked by issuing the command faillock --user <USERNAME> --reset. This command sets the failed count to 0, effectively unlocking the user.