5.3.3.1.1 Ensure password failed attempts lockout is configured

Audit

Run the following command to verify that Number of failed logon attempts before the account is locked is no greater than 5 and meets local site policy:

# grep -Pi -- '^\h*deny\h*=\h*[1-5]\b' /etc/security/faillock.conf
deny = 5

Run the following command to verify that the deny argument has not been set, or 5 or less and meets local site policy:

# grep -Pi -- '^\h*auth\h+(requisite|required|sufficient)\h+pam_faillock\.so\h+([^#\n\r]+\h+)?deny\h*=\h*(0|[6-9]|[1-9][0-9]+)\b' /etc/pam.d/common-auth

Nothing should be returned

Remediation

Create or edit the following line in /etc/security/faillock.conf setting the deny option to 5 or less:

deny = 5

Run the following command:

# grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?deny\b' /usr/share/pam-configs/*

Edit any returned files and remove the deny= arguments from the pam_faillock.so line(s):

Default Value: deny = 3