← Rules Catalog
mediumaccess-controlverified rollback-safe

Ensure pam_faillock module is enabled

pam-faillock-enabled · RHEL ≥ 8 · 2 impls

Description

The pam_faillock module must be enabled in the PAM configuration.

Rationale

pam_faillock provides account lockout after failed login attempts, preventing brute-force attacks.

Check → Remediate

Checkcommand
grep -qE '^\s*auth\s+required\s+pam_faillock\.so' /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null || {
  echo "FAIL: pam_faillock not in PAM config"
  exit 1
}
dir=$(grep -E '^\s*dir\s*=' /etc/security/faillock.conf 2>/dev/null |
  awk -F= '{print $2}' | tr -d ' ')
if [ -z "$dir" ]; then dir="/var/run/faillock"; fi
case "$dir" in
  /var/log/*|/var/lib/*|/etc/*) echo "OK: faillock enabled, dir=$dir (persistent)"; exit 0 ;;
  /var/run/*|/run/*|/tmp/*) echo "FAIL: faillock dir=$dir (not persistent)"; exit 1 ;;
  *) echo "OK: faillock enabled, dir=$dir"; exit 0 ;;
esac
expected_exit:
0
Remediatepam_module_configure
service:
system-auth
module:
pam_faillock.so
type:
auth
control:
required
args:
preauth silent

Framework references

CIS

rhel9 5.3.2.2rhel10 5.3.1.2rhel8 5.3.2.2

STIG

V-230338

NIST 800-53

AC-7

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#authentication#faillock