mediumaccess-controlunverified
Ensure account lockout after 3 failed logons (RHEL 8.0-8.1 pam.d form)
faillock-pam-deny-legacy · RHEL ≥ 8 · 1 impl
Description
On RHEL 8.0-8.1, pam_faillock must be configured directly in /etc/pam.d/system-auth and /etc/pam.d/password-auth with deny=3. On RHEL 8.2+ this is superseded by /etc/security/faillock.conf and the control is not applicable.
Rationale
Locking an account after repeated failed attempts limits brute-force password guessing.
Check → Remediate
Checkcommand
minor=$(. /etc/os-release 2>/dev/null; echo "${VERSION_ID#*.}")
case "$minor" in
''|*[!0-9]*) minor=99 ;;
esac
if [ "$minor" -ge 2 ] 2>/dev/null; then
echo "NOT APPLICABLE: RHEL 8.$minor uses /etc/security/faillock.conf (see pam-faillock-deny)"
exit 0
fi
for f in /etc/pam.d/system-auth /etc/pam.d/password-auth; do
if ! grep -qE '^\s*auth\s+.*pam_faillock\.so.*preauth' "$f" 2>/dev/null; then
echo "FAIL: $f missing pam_faillock preauth line"; exit 1
fi
if ! grep -qE '^\s*auth\s+.*pam_faillock\.so.*(deny=[1-3])(\s|$)' "$f" 2>/dev/null; then
echo "FAIL: $f pam_faillock deny not set to 3 or less"; exit 1
fi
done
echo "OK: pam_faillock deny<=3 configured in pam.d"
exit 0
- expected_exit:
- 0
Remediatemanual
- note:
- On RHEL 8.0-8.1 add pam_faillock preauth/authfail/account lines with deny=3 to /etc/pam.d/system-auth and /etc/pam.d/password-auth.
Framework references
STIG
V-230332 / RHEL-08-020010
NIST 800-53
AC-7
#faillock#account-lockout#pam#legacy#stig