Skip to content

5.3.3.1.2 Ensure password unlock time is configured

Audit#

Run the following command to verify that the time in seconds before the account is unlocked is either 0 (never) or 900 (15 minutes) or more and meets local site policy: 

# grep -Pi -- '^\h*unlock_time\h*=\h*(0|9[0-9][0-9]|[1-9][0-9]{3,})\b' /etc/security/faillock.conf
deny = 5

Run the following command to verify that the unlock_time argument has not been set, or is either 0 (never) or 900 (15 minutes) or more and meets local site policy: 

# grep -Pi -- '^\h*auth\h+(requisite|required|sufficient)\h+pam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\h*=\h*([1-9]|[1-9][0-9]|[1-8][0-9][0-9])\b' /etc/pam.d/common-auth
Nothing should be returned

Remediation#

Set password unlock time to conform to site policy. unlock_time should be 0 (never), or 900 seconds or greater. Edit /etc/security/faillock.conf and update or add the following line: 

unlock_time = 900

Run the following command: remove the unlock_time argument from the pam_faillock.so module in the PAM files: 

# grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?unlock_time\b' /usr/share/pam-configs/*
Edit any returned files and remove the unlock_time= arguments from the pam_faillock.so line(s):

Default Value: unlock_time = 600