← Rules Catalog
mediumaccess-controlverified rollback-safe

Configure pam_faillock.so in /etc/pam.d/system-auth

pam-faillock-system-auth · RHEL ≥ 8 · 2 impls

Description

The pam_faillock.so module must be configured in /etc/pam.d/system-auth to enforce account lockout after repeated failed authentication attempts.

Rationale

Without pam_faillock in the system-auth PAM configuration, interactive logins that use system-auth will not be subject to account lockout on failed attempts, leaving the system vulnerable to brute-force attacks.

Check → Remediate

Checkcommand
grep -qE '^\s*auth\s+(required|sufficient)\s+pam_faillock\.so' /etc/pam.d/system-auth 2>/dev/null
expected_exit:
0
Remediatepam_module_configure
service:
system-auth
module:
pam_faillock.so
type:
auth
control:
required
args:
preauth silent

Framework references

STIG

V-281212 / RHEL-10-600600V-258095 / RHEL-09-611030V-244533

NIST 800-53

AC-7

Live verification

rhel8:checkrhel9:check
#pam#authentication#faillock#system-auth