← Rules Catalog
mediumaccess-controlverified rollback-safe

Configure faillock to suppress failure messages after lockout

pam-faillock-silent · RHEL ≥ 8 · 2 impls

Description

RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. The pam_faillock module must have the silent option configured or the audit option must be set to ensure system messages are not displayed to the user after the account is locked.

Rationale

Displaying detailed error messages when an account is locked could allow an attacker to determine valid account names and lockout policies. Suppressing these messages reduces the information available to an attacker.

Check → Remediate

Checkcommand
grep -q 'silent\|audit' \
  /etc/pam.d/password-auth /etc/pam.d/system-auth 2>/dev/null ||
grep -q '^\s*silent\s*$\|^\s*audit\s*$' \
  /etc/security/faillock.conf 2>/dev/null
expected_exit:
0
Remediateconfig_append
path:
/etc/security/faillock.conf
line:
silent

Framework references

STIG

V-230340V-230341 / RHEL-08-020019

NIST 800-53

AC-7CM-6

Live verification

rhel8:check
#pam#faillock#authentication#lockout#stig