mediumaccess-controlverified ✓rollback-safe
Set account lockout duration
pam-faillock-unlock-time · RHEL ≥ 8 · 1 impl
Description
The unlock_time parameter in /etc/security/faillock.conf sets the number of seconds before a locked account is automatically unlocked.
Rationale
Setting an unlock time ensures accounts are not permanently locked due to failed login attempts, while still providing protection against brute-force attacks. A value of 900 seconds (15 minutes) is recommended.
Check → Remediate
Checkconfig_value
- path:
- /etc/security/faillock.conf
- key:
- unlock_time
- expected:
- {{ pam_faillock_unlock_time }}
Remediateconfig_set
- path:
- /etc/security/faillock.conf
- key:
- unlock_time
- value:
- {{ pam_faillock_unlock_time }}
- separator:
- =
Framework references
CIS
rhel8 5.3.3.1.2rhel9 5.3.3.1.2rhel10 5.3.2.1.2
STIG
V-258057 / RHEL-09-411090V-230336V-230337 / RHEL-08-020015V-281197 / RHEL-10-600425
NIST 800-53
AC-7(b)
Live verification
rhel10:checkrhel8:checkrhel9:check
#pam#authentication#account-lockout#faillock