mediumaccess-controlverified ✓rollback-safe
Configure faillock to suppress failure messages after lockout
pam-faillock-silent · RHEL ≥ 8 · 2 impls
Description
RHEL 8 must prevent system messages from being presented when three unsuccessful logon attempts occur. The pam_faillock module must have the silent option configured or the audit option must be set to ensure system messages are not displayed to the user after the account is locked.
Rationale
Displaying detailed error messages when an account is locked could allow an attacker to determine valid account names and lockout policies. Suppressing these messages reduces the information available to an attacker.
Check → Remediate
Checkcommand
grep -q 'silent\|audit' \ /etc/pam.d/password-auth /etc/pam.d/system-auth 2>/dev/null || grep -q '^\s*silent\s*$\|^\s*audit\s*$' \ /etc/security/faillock.conf 2>/dev/null
- expected_exit:
- 0
Remediateconfig_append
- path:
- /etc/security/faillock.conf
- line:
- silent
Framework references
STIG
V-230340V-230341 / RHEL-08-020019
NIST 800-53
AC-7CM-6
Live verification
rhel8:check
#pam#faillock#authentication#lockout#stig