Skip to content

5.3.3.1.3 Ensure password failed attempts lockout includes root account

Audit#

Run the following command to verify that even_deny_root and/or root_unlock_time is enabled: 

# grep -Pi -- '^\h*(even_deny_root|root_unlock_time\h*=\h*\d+)\b' /etc/security/faillock.conf

Example output: 

even_deny_root

--AND/OR--

root_unlock_time = 60

Run the following command to verify that - IF - root_unlock_time is set, it is set to 60 (One minute) or more: 

# grep -Pi -- '^\h*root_unlock_time\h*=\h*([1-9]|[1-5][0-9])\b' /etc/security/faillock.conf
Nothing should be returned

Run the following command to check the pam_faillock.so module for the root_unlock_time argument. Verify -IF- root_unlock_time is set, it is set to 60 (One minute) or more: 

# grep -Pi -- '^\h*auth\h+([^#\n\r]+\h+)pam_faillock\.so\h+([^#\n\r]+\h+)?root_unlock_time\h*=\h*([1-9]|[1-5][0-9])\b' /etc/pam.d/common-auth
Nothing should be returned

Remediation#

Edit /etc/security/faillock.conf: - Remove or update any line containing root_unlock_time, - OR - set it to a value of 60 or more - Update or add the following line: 

even_deny_root

Run the following command: 

# grep -Pl -- '\bpam_faillock\.so\h+([^#\n\r]+\h+)?(root_unlock_time=([0-9]|[1-5][0-9]))' /usr/share/pam-configs/*
Edit any returned files and remove the root_unlock_time arguments from the pam_faillock.so line(s) and run the following command to regenerate the effected pam files: 
# pam-auth-update

Default Value: disabled