Detections
Analytics

5.4.2 Ensure lockout for failed password attempts is configured - common-auth unlock_time

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Lock out users after n unsuccessful consecutive login attempts.

 These settings are commonly configured with the pam_faillock.so module. Some environments may continue using the pam_tally2.so module, where this older method may simplify automation in mixed environments.

 Set the lockout number in deny= to the policy in effect at your site.

 unlock_time=_n_ is the number of seconds the account remains locked after the number of attempts configured in deny=_n_ has been met.

 Notes:

 Additional module options may be set, recommendation only covers those listed here.

 If you want to require the administrator to unlock accounts, leave off the unlock_time option

 The default location for attempted accesses is recorded in /var/log/tallylog

 Use of the 'audit' keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.

 You may also lock out root, this should be considered carefully due to the ability to have this setting lock all access to the system

 As an option on the same line:

 auth required pam_tally2.so deny=5 even_deny_root unlock_time=900

 To define a different lockout time for root:

 auth required pam_tally2.so deny=5 root_unlock_time=120 unlock_time=900

 If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing following command. This command sets the failed count to 0, effectively unlocking the user.

 # pam_tally2 -u <username> --reset




 Rationale:

 Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Modify the deny= and unlock_time= parameters to conform to local site policy, Not to be greater than deny=5:
 Edit the file /etc/pam.d/common-auth and add the following line:

 auth required pam_tally2.so deny=5 onerr=fail unlock_time=900

 Note: The ordering on the lines is important. The additional line needs to below the line auth required pam_env.so and above all password validation lines.
 Example:

 auth required pam_env.so
 auth required pam_tally2.so deny=5 onerr=fail unlock_time=900
 auth sufficient pam_unix.so nullok try_first_pass
 auth required pam_deny.so

 Edit the /etc/pam.d/common-account file and add the following pam_tally2.so line:

 account required pam_tally2.so

See Also

https://workbench.cisecurity.org/files/3288

Item Details

References: CSCv7|16.7

Plugin: Unix

Control ID: 243d0d5cda05f0386ec821efda1a32cf38920c1e99301174a02708e1a6e2164c