highaccess-controlverified ✓rollback-safe
Lock accounts after failed login attempts
pam-faillock-deny · RHEL ≥ 8, UBUNTU ≥ 22 · 2 impls
Description
The system must lock an account after a defined number of consecutive failed login attempts. This is enforced via the pam_faillock module with a deny threshold.
Rationale
Without account lockout, an attacker can perform unlimited password guessing attacks. A lockout threshold of 3-5 attempts provides a strong defense against brute-force attacks while remaining usable for legitimate users who occasionally mistype their password.
Check → Remediate
Checkconfig_value
- path:
- /etc/security/faillock.conf
- key:
- deny
- expected:
- {{ pam_faillock_deny }}
- comparator:
- <=
Remediateconfig_set
- path:
- /etc/security/faillock.conf
- key:
- deny
- value:
- {{ pam_faillock_deny }}
- separator:
- =
Framework references
CIS
rhel8 5.3.3.1.1rhel9 5.3.3.1.1rhel10 5.3.2.1.1ubuntu24 5.3.3.1.1ubuntu22 5.3.3.1.1
STIG
V-230333 / RHEL-08-020011V-258054 / RHEL-09-411075V-270690 / UBTU-24-200610V-260549 / UBTU-22-411045V-281194 / RHEL-10-600410
NIST 800-53
AC-7(a)
PCI-DSS v4
8.3.4
Live verification
rhel10:checkrhel8:checkrhel9:checkubuntu22:checkubuntu24:checkubuntu26:check
#pam#authentication#account-lockout#brute-force