← Rules Catalog
highaccess-controlverified rollback-safe

Lock accounts after failed login attempts

pam-faillock-deny · RHEL ≥ 8, UBUNTU ≥ 22 · 2 impls

Description

The system must lock an account after a defined number of consecutive failed login attempts. This is enforced via the pam_faillock module with a deny threshold.

Rationale

Without account lockout, an attacker can perform unlimited password guessing attacks. A lockout threshold of 3-5 attempts provides a strong defense against brute-force attacks while remaining usable for legitimate users who occasionally mistype their password.

Check → Remediate

Checkconfig_value
path:
/etc/security/faillock.conf
key:
deny
expected:
{{ pam_faillock_deny }}
comparator:
<=
Remediateconfig_set
path:
/etc/security/faillock.conf
key:
deny
value:
{{ pam_faillock_deny }}
separator:
=

Framework references

CIS

rhel8 5.3.3.1.1rhel9 5.3.3.1.1rhel10 5.3.2.1.1ubuntu24 5.3.3.1.1ubuntu22 5.3.3.1.1

STIG

V-230333 / RHEL-08-020011V-258054 / RHEL-09-411075V-270690 / UBTU-24-200610V-260549 / UBTU-22-411045V-281194 / RHEL-10-600410

NIST 800-53

AC-7(a)

PCI-DSS v4

8.3.4

Live verification

rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#pam#authentication#account-lockout#brute-force