Detections
Analytics

5.4.2 Ensure lockout for failed password attempts is configured

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Lock out users after n unsuccessful consecutive login attempts. The first sets of changes are made to the common PAM configuration files. The second set of changes are applied to the program specific PAM configuration file. The second set of changes must be applied to each program that will lock out users. Check the documentation for each secondary program for instructions on how to configure them to work with PAM.

 All configuration of faillock is located in /etc/security/faillock.conf and well commented.

 deny - Deny access if the number of consecutive authentication failures for this user during the recent interval exceeds n tries.

 fail_interval - The length of the interval, in seconds, during which the consecutive authentication failures must happen for the user account to be locked out

 unlock_time - The access will be re-enabled after n seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock command.

 Set the lockout number and unlock time in accordance with local site policy.

 Rationale:

 Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

 Impact:

 It is critical to test and validate any PAM changes before deploying. Any misconfiguration could cause the system to be inaccessible.

Solution

NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files.
 Common auth
 Edit /etc/pam.d/common-auth and ensure that faillock is configured.
 Note: It is critical to understand each line and the relevant arguments for successful implementation. The order of these entries is very specific. The pam_faillock.so lines surround the pam_unix.so line. The comment 'Added to enable faillock' is shown to highlight the additional lines and their order in the file.

 # here are the per-package modules (the 'Primary' block)
 auth required pam_faillock.so preauth # Added to enable faillock
 auth [success=1 default=ignore] pam_unix.so nullok
 auth [default=die] pam_faillock.so authfail # Added to enable faillock
 auth sufficient pam_faillock.so authsucc # Added to enable faillock
 # here's the fallback if no module succeeds
 auth requisite pam_deny.so
 # prime the stack with a positive return value if there isn't one already;
 # this avoids us returning an error just because nothing sets a success code
 # since the modules above will each just jump around
 auth required pam_permit.so
 # and here are more per-package modules (the 'Additional' block)
 auth optional pam_cap.so
 # end of pam-auth-update config

 Common account
 Edit /etc/pam.d/common-account and ensure that the following stanza is at the end of the file.

 account required pam_faillock.so

 Fail lock configuration
 Edit /etc/security/faillock.conf and configure it per your site policy.
 Example:

 deny = 4
 fail_interval = 900
 unlock time = 600

 Additional Information:

 If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_faillock.so module, the user can be unlocked by issuing the command /usr/sbin/faillock --user username --reset. This command sets the failed count to 0, effectively unlocking the user.

See Also

https://workbench.cisecurity.org/files/4068

Item Details

References: CSCv7|16.7

Plugin: Unix

Control ID: d5ebd9be1ea77cdb618f106b6eecd4e7fbb8b0d7c9ee0326da19d98f40ed05e6