mediumaccess-controlverified ✓rollback-safe
Configure pam_faillock.so in /etc/pam.d/password-auth
pam-faillock-password-auth · RHEL ≥ 8 · 2 impls
Description
The pam_faillock.so module must be configured in /etc/pam.d/password-auth to enforce account lockout after repeated failed authentication attempts.
Rationale
Without pam_faillock in the password-auth PAM configuration, logins using password-auth will not enforce account lockout, leaving the system exposed to brute-force attacks.
Check → Remediate
Checkcommand
grep -qE '^\s*auth\s+(required|sufficient)\s+pam_faillock\.so' /etc/pam.d/password-auth 2>/dev/null
- expected_exit:
- 0
Remediatepam_module_configure
- service:
- password-auth
- module:
- pam_faillock.so
- type:
- auth
- control:
- required
- args:
- preauth silent
Framework references
STIG
V-281213 / RHEL-10-600610V-258096 / RHEL-09-611035V-244534
NIST 800-53
AC-7
Live verification
rhel8:checkrhel9:check
#pam#authentication#faillock#password-auth