UBTU-18-010033 - The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-OS-000329-GPOS-00128

Solution

Configure the Ubuntu operating system to utilize the 'pam_faillock' module.

Edit the /etc/pam.d/common-auth file.

Add the following lines below the 'auth' definition for pam_unix.so:
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

Configure the 'pam_faillock' module to use the following options:

Edit the /etc/security/faillock.conf file and add/update the following keywords and values:
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_18-04_LTS_V2R8_STIG.zip

Item Details

References: CAT|II, CCI|CCI-000044, CCI|CCI-002238, Rule-ID|SV-219166r802355_rule, STIG-ID|UBTU-18-010033, STIG-Legacy|SV-109663, STIG-Legacy|V-100559, Vuln-ID|V-219166

Plugin: Unix

Control ID: 2ee82459c6caccf1721ca11f8ff3abb2d6da238673375c174408e1d2ee99ee71