← Rules Catalog
mediumaccess-controlverified rollback-safe

Configure pam_faillock.so in /etc/pam.d/password-auth

pam-faillock-password-auth · RHEL ≥ 8 · 2 impls

Description

The pam_faillock.so module must be configured in /etc/pam.d/password-auth to enforce account lockout after repeated failed authentication attempts.

Rationale

Without pam_faillock in the password-auth PAM configuration, logins using password-auth will not enforce account lockout, leaving the system exposed to brute-force attacks.

Check → Remediate

Checkcommand
grep -qE '^\s*auth\s+(required|sufficient)\s+pam_faillock\.so' /etc/pam.d/password-auth 2>/dev/null
expected_exit:
0
Remediatepam_module_configure
service:
password-auth
module:
pam_faillock.so
type:
auth
control:
required
args:
preauth silent

Framework references

STIG

V-281213 / RHEL-10-600610V-258096 / RHEL-09-611035V-244534

NIST 800-53

AC-7

Live verification

rhel8:checkrhel9:check
#pam#authentication#faillock#password-auth