mediumaccess-controlverified ✓rollback-safe
Configure pam_faillock.so in /etc/pam.d/system-auth
pam-faillock-system-auth · RHEL ≥ 8 · 2 impls
Description
The pam_faillock.so module must be configured in /etc/pam.d/system-auth to enforce account lockout after repeated failed authentication attempts.
Rationale
Without pam_faillock in the system-auth PAM configuration, interactive logins that use system-auth will not be subject to account lockout on failed attempts, leaving the system vulnerable to brute-force attacks.
Check → Remediate
Checkcommand
grep -qE '^\s*auth\s+(required|sufficient)\s+pam_faillock\.so' /etc/pam.d/system-auth 2>/dev/null
- expected_exit:
- 0
Remediatepam_module_configure
- service:
- system-auth
- module:
- pam_faillock.so
- type:
- auth
- control:
- required
- args:
- preauth silent
Framework references
STIG
V-281212 / RHEL-10-600600V-258095 / RHEL-09-611030V-244533
NIST 800-53
AC-7
Live verification
rhel8:checkrhel9:check
#pam#authentication#faillock#system-auth