← Rules Catalog
mediumaccess-controlverified rollback-safe

Set account lockout duration

pam-faillock-unlock-time · RHEL ≥ 8 · 1 impl

Description

The unlock_time parameter in /etc/security/faillock.conf sets the number of seconds before a locked account is automatically unlocked.

Rationale

Setting an unlock time ensures accounts are not permanently locked due to failed login attempts, while still providing protection against brute-force attacks. A value of 900 seconds (15 minutes) is recommended.

Check → Remediate

Checkconfig_value
path:
/etc/security/faillock.conf
key:
unlock_time
expected:
{{ pam_faillock_unlock_time }}
Remediateconfig_set
path:
/etc/security/faillock.conf
key:
unlock_time
value:
{{ pam_faillock_unlock_time }}
separator:
=

Framework references

CIS

rhel8 5.3.3.1.2rhel9 5.3.3.1.2rhel10 5.3.2.1.2

STIG

V-258057 / RHEL-09-411090V-230336V-230337 / RHEL-08-020015V-281197 / RHEL-10-600425

NIST 800-53

AC-7(b)

Live verification

rhel10:checkrhel8:checkrhel9:check
#pam#authentication#account-lockout#faillock