Detections
Analytics

5.3.2.1.1 Ensure password failed attempts lockout is configured

Information

The deny=<n> option will deny access if the number of consecutive authentication failures for this user during the recent interval exceeds.

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Create or edit the administrator customization file /etc/security/faillock.conf and set the deny option to 5 or less:

deny = 5

Example

# printf '%s\n' "" "deny = 5" >> /etc/security/faillock.conf

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), CSCv7|16.7

Plugin: Unix

Control ID: 7ba5df6f992e19c424617ecb63172f9cb2f78ca09d28d2cfb2f3b7aef2992be8