4.4.2.1.3 Ensure password unlock time is configured

Information

unlock_time=<n> - The access will be re-enabled after

seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command.

Note:

- The default directory that pam_faillock uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the dir option.
- It is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers.
- The maximum configurable value for unlock_time is 604800

Locking out user IDs after

n

unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth :

Edit the files /etc/pam.d/system-auth and /etc/pam.d/password-auth :

Add the following lines to the auth section:

auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 even_deny_root
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root

The auth sections should look similar to the following example:

Example:

auth required pam_env.so
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 even_deny_root # <- Under "auth required pam_env.so"
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root # <- Last auth line before "auth requisite pam_succeed_if.so"
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so

WARNING: The ordering on the lines in the auth section is important. The preauth line needs to below the line auth required pam_env.so and above all password validation lines. The authfail line needs to be after all password validation lines such as pam_sss.so Incorrect order can cause you to be locked out of the system.

Impact:

Use of unlock_time=0 may allow an attacker to cause denial of service to legitimate users. This will also require a systems administrator with elevated privileges to unlock the account.

See Also

https://workbench.cisecurity.org/benchmarks/15964