Skip to content

5.4.2 Ensure lockout for failed password attempts is configured

Audit#

Verify password lockouts are configured. These settings are commonly configured with the pam_faillock.so module found in /etc/pam.d/common-auth and /etc/pam.d/common-account.

Common auth

Run the following command to verify pam_faillock.so is configured in /etc/pam.d/common-auth: 

# grep "pam_faillock.so" /etc/pam.d/common-auth

Verify the output includes the three pam_faillock.so lines: 

auth required pam_faillock.so preauth
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

Common account

Run the following command to verify pam_faillock.so is configured in /etc/pam.d/common-account: 

# grep "pam_faillock.so" /etc/pam.d/common-account

Verify the output matches: 

account required pam_faillock.so

Fail lock configuration

Run the following command to verify deny, fail_interval, and unlock time are configured in /etc/security/faillock.conf: 

awk '/^ *deny *=/\
||/^ *fail_interval *=/\
||/^ *unlock_time *=/' /etc/security/faillock.conf

Verify the output:

  • deny is not greater than 4
  • fail_interval is no greater than 900
  • unlock_time is 0, or greater than or equal to 600
  • Settings follow local site policy

Example: 

deny = 4
fail_interval = 900
unlock time = 600

Remediation#

NOTE: Pay special attention to the configuration. Incorrect configuration can cause system lock outs. This is example configuration. You configuration may differ based on previous changes to the files.

Common auth

Edit /etc/pam.d/common-auth and ensure that faillock is configured.

Note: It is critical to understand each line and the relevant arguments for successful implementation. The order of these entries is very specific. The pam_faillock.so lines surround the pam_unix.so line. The comment "Added to enable faillock" is shown to highlight the additional lines and their order in the file. 

# here are the per-package modules (the "Primary" block)
auth required pam_faillock.so preauth # Added to enable faillock
auth [success=1 default=ignore] pam_unix.so nullok
auth [default=die] pam_faillock.so authfail # Added to enable faillock
auth sufficient pam_faillock.so authsucc # Added to enable faillock
# here's the fallback if no module succeeds
auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_cap.so
# end of pam-auth-update config

Common account

Edit /etc/pam.d/common-account and ensure that the following stanza is at the end of the file. 

account required pam_faillock.so

Fail lock configuration

Edit /etc/security/faillock.conf and configure it per your site policy.

Example: 

deny = 4
fail_interval = 900
unlock time = 600