← Rules Catalog
highaccess-controlverified rollback-safe

Apply account lockout to root account

pam-faillock-even-deny-root · RHEL ≥ 8 · 1 impl

Description

The account lockout policy must apply to the root account to prevent brute-force attacks against the superuser.

Rationale

The root account is a high-value target for attackers. Applying lockout policies prevents unlimited password guessing attempts against the most privileged account.

Check → Remediate

Checkconfig_value
path:
/etc/security/faillock.conf
key:
even_deny_root
Remediateconfig_append
path:
/etc/security/faillock.conf
line:
even_deny_root

Framework references

CIS

rhel9 5.3.3.1.3rhel8 5.3.3.1.3rhel10 5.3.2.1.3

STIG

V-281195 / RHEL-10-600415V-258055 / RHEL-09-411080V-230344V-230345 / RHEL-08-020023

NIST 800-53

AC-7

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#faillock#root#account-lockout#stig