Skip to content

5.3.2.2 Ensure pam_faillock module is enabled

Audit#

Run the following commands to verify that pam_faillock is enabled: 

# grep -P -- '\bpam_faillock\.so\b' /etc/pam.d/common-{auth,account}

Output should be similar to: 

/etc/pam.d/common-auth:auth requisite pam_faillock.so preauth
/etc/pam.d/common-auth:auth [default=die] pam_faillock.so authfail
/etc/pam.d/common-account:account required pam_faillock.so

Remediation#

Create two pam-auth-update profiles in /usr/share/pam-configs/: 1. Create the faillock profile in /usr/share/pam-configs/ with the following lines: 

Name: Enable pam_faillock to deny access
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[default=die] pam_faillock.so authfail

Example Script: 

1
2
3
4
5
#!/usr/bin/env bash
{
arr=('Name: Enable pam_faillock to deny access' 'Default: yes' 'Priority: 0' 'Auth-Type: Primary' 'Auth:' ' [default=die] pam_faillock.so authfail')
printf '%s\n' "${arr[@]}" > /usr/share/pam-configs/faillock
}

  1. Create the faillock_notify profile in /usr/share/pam-configs/ with the following lines: 
    Name: Notify of failed login attempts and reset count upon success
Default: yes
Priority: 1024
Auth-Type: Primary
Auth:
requisite pam_faillock.so preauth
Account-Type: Primary
Account:
required pam_faillock.so

Example Script: 

1
2
3
4
5
#!/usr/bin/env bash
{
arr=('Name: Notify of failed login attempts and reset count upon success' 'Default: yes' 'Priority: 1024' 'Auth-Type: Primary' 'Auth:' ' requisite pam_faillock.so preauth' 'Account-Type: Primary' 'Account:' ' required pam_faillock.so')
printf '%s\n' "${arr[@]}" > /usr/share/pam-configs/faillock_notify
}

Run the following command to update the common-auth and common-account PAM files with the new profiles: 

# pam-auth-update --enable <profile_filename>

Example: 

# pam-auth-update --enable faillock
# pam-auth-update --enable faillock_notify

Note: - The name used for the file must be used in the pam-auth-update --enable command - The Name: line should be easily recognizable and understood - The Priority: Line is important as it effects the order of the lines in the /etc/pam.d/ files - If a site specific custom profile is being used in your environment to configure PAM that includes the configuration for the pam_faillock module, enable that module instead