4.4.2.1.1 Ensure pam_faillock module is enabled

Information

The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory.

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth :

Add the following lines to the auth section:

auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 even_deny_root
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root

The auth sections should look similar to the following example:

WARNING: The ordering on the lines in the auth section is important. The preauth line needs to below the line auth required pam_env.so and above all password validation lines. The authfail line needs to be after all password validation lines such as pam_sss.so Incorrect order can cause you to be locked out of the system.

Example:

auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 even_deny_root # <- Under "auth required pam_env.so"
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root # <- Last auth line before "auth requisite pam_succeed_if.so"
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

Add the following line to the account section:

account required pam_faillock.so

Example:

account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so

See Also

https://workbench.cisecurity.org/benchmarks/15964