highaccess-controlverified ✓rollback-safe
Apply account lockout to root account
pam-faillock-even-deny-root · RHEL ≥ 8 · 1 impl
Description
The account lockout policy must apply to the root account to prevent brute-force attacks against the superuser.
Rationale
The root account is a high-value target for attackers. Applying lockout policies prevents unlimited password guessing attempts against the most privileged account.
Check → Remediate
Checkconfig_value
- path:
- /etc/security/faillock.conf
- key:
- even_deny_root
Remediateconfig_append
- path:
- /etc/security/faillock.conf
- line:
- even_deny_root
Framework references
CIS
rhel9 5.3.3.1.3rhel8 5.3.3.1.3rhel10 5.3.2.1.3
STIG
V-281195 / RHEL-10-600415V-258055 / RHEL-09-411080V-230344V-230345 / RHEL-08-020023
NIST 800-53
AC-7
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#faillock#root#account-lockout#stig