Detections
Analytics

5.3.2.1.3 Ensure password failed attempts lockout includes root account

Information

even_deny_root - Root account can become locked as well as regular accounts

root_unlock_time=n - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option.

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Create or edit the administrator customization file /etc/security/faillock.conf and update or add the following line:

 - Remove or update any line containing root_unlock_time, - OR - set it to a value of 60 or more
 - Update or add the following line:

even_deny_root

Example

# printf '%s\n' "" "even_deny_root" >> /etc/security/faillock.conf

Impact:

Use of unlock_time=0 or root_unlock_time=0 may allow an attacker to cause denial of service to legitimate users.

See Also

https://workbench.cisecurity.org/benchmarks/26236

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-1, 800-53|AC-2, 800-53|AC-2(1), CSCv7|16.7

Plugin: Unix

Control ID: 6654dd9f5ad66ca8692f58fcaa3b84084f08421c2257df9f3a43ecd1fbb8a8cd