← Rules Catalog
mediumaccess-controlunverified

Ensure account lockout after 3 failed logons (RHEL 8.0-8.1 pam.d form)

faillock-pam-deny-legacy · RHEL ≥ 8 · 1 impl

Description

On RHEL 8.0-8.1, pam_faillock must be configured directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth with deny=3. On RHEL 8.2+ this is superseded by /etc/security/faillock.conf and the control is not applicable.

Rationale

Locking an account after repeated failed attempts limits brute-force password guessing.

Check → Remediate

Checkcommand
minor=$(. /etc/os-release 2>/dev/null; echo "${VERSION_ID#*.}")
case "$minor" in
  ''|*[!0-9]*) minor=99 ;;
esac
if [ "$minor" -ge 2 ] 2>/dev/null; then
  echo "NOT APPLICABLE: RHEL 8.$minor uses /etc/security/faillock.conf (see pam-faillock-deny)"
  exit 0
fi
for f in /etc/pam.d/system-auth /etc/pam.d/password-auth; do
  if ! grep -qE '^\s*auth\s+.*pam_faillock\.so.*preauth' "$f" 2>/dev/null; then
    echo "FAIL: $f missing pam_faillock preauth line"; exit 1
  fi
  if ! grep -qE '^\s*auth\s+.*pam_faillock\.so.*(deny=[1-3])(\s|$)' "$f" 2>/dev/null; then
    echo "FAIL: $f pam_faillock deny not set to 3 or less"; exit 1
  fi
done
echo "OK: pam_faillock deny<=3 configured in pam.d"
exit 0
expected_exit:
0
Remediatemanual
note:
On RHEL 8.0-8.1 add pam_faillock preauth/authfail/account lines with deny=3 to /etc/pam.d/system-auth and /etc/pam.d/password-auth.

Framework references

STIG

V-230332 / RHEL-08-020010

NIST 800-53

AC-7
#faillock#account-lockout#pam#legacy#stig