Detections
Analytics

1.47 UBTU-24-200610

Information

The operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

GROUP ID: V-270690
RULE ID: SV-270690r1067126

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Solution

Configure the operating system to utilize the "pam_faillock" module.

Add or modify the following lines in the "/etc/pam.d/common-auth" file, below the "auth" definition for "pam_unix.so":

auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

Configure the "pam_faillock" module to use the following options.

Add or modify the following lines in the "/etc/security/faillock.conf" file:

audit
silent
deny = 3
fail_interval = 900
unlock_time = 0

See Also

https://workbench.cisecurity.org/benchmarks/22775

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., 800-53|AC-7b., CAT|III, CCI|CCI-000044, CCI|CCI-002238, CSCv7|16.7, Rule-ID|SV-270690r1067126_rule, STIG-ID|UBTU-24-200610, Vuln-ID|V-270690

Plugin: Unix

Control ID: 27af52c7e827bbfd79462d3f6ebadf1035f9dd865b3e8247ed769aca1604c7c6