mediumaccess-controlverified ✓rollback-safe
Ensure pam_faillock module is enabled
pam-faillock-enabled · RHEL ≥ 8 · 2 impls
Description
The pam_faillock module must be enabled in the PAM configuration.
Rationale
pam_faillock provides account lockout after failed login attempts, preventing brute-force attacks.
Check → Remediate
Checkcommand
grep -qE '^\s*auth\s+required\s+pam_faillock\.so' /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null || {
echo "FAIL: pam_faillock not in PAM config"
exit 1
}
dir=$(grep -E '^\s*dir\s*=' /etc/security/faillock.conf 2>/dev/null |
awk -F= '{print $2}' | tr -d ' ')
if [ -z "$dir" ]; then dir="/var/run/faillock"; fi
case "$dir" in
/var/log/*|/var/lib/*|/etc/*) echo "OK: faillock enabled, dir=$dir (persistent)"; exit 0 ;;
/var/run/*|/run/*|/tmp/*) echo "FAIL: faillock dir=$dir (not persistent)"; exit 1 ;;
*) echo "OK: faillock enabled, dir=$dir"; exit 0 ;;
esac
- expected_exit:
- 0
Remediatepam_module_configure
- service:
- system-auth
- module:
- pam_faillock.so
- type:
- auth
- control:
- required
- args:
- preauth silent
Framework references
CIS
rhel9 5.3.2.2rhel10 5.3.1.2rhel8 5.3.2.2
STIG
V-230338
NIST 800-53
AC-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#authentication#faillock