4.4.2.2 Ensure pam_faillock module is enabled

Information

The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than the configured number of consecutive failed authentications (this is defined by the deny parameter in the faillock configuration). It stores the failure records into per-user files in the tally directory.

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Run the following script to verify the pam_faillock.so lines exist in the profile templates:

#!/usr/bin/env bash

{
l_module_name="faillock"
l_pam_profile="$(head -1 /etc/authselect/authselect.conf)"
if grep -Pq -- '^custom/' <<< "$l_pam_profile"; then
l_pam_profile_path="/etc/authselect/$l_pam_profile"
else
l_pam_profile_path="/usr/share/authselect/default/$l_pam_profile"
fi
grep -P -- "bpam_$l_module_name.sob" "$l_pam_profile_path"/{password,system}-auth
}

Example Output with a custom profile named "custom-profile":

/etc/authselect/custom/custom-profile/password-auth:auth required pam_faillock.so preauth silent {include if "with-faillock"}
/etc/authselect/custom/custom-profile/password-auth:auth required pam_faillock.so authfail {include if "with-faillock"}
/etc/authselect/custom/custom-profile/password-auth:account required pam_faillock.so {include if "with-faillock"}

/etc/authselect/custom/custom-profile/system-auth:auth required pam_faillock.so preauth silent {include if "with-faillock"}
/etc/authselect/custom/custom-profile/system-auth:auth required pam_faillock.so authfail {include if "with-faillock"}
/etc/authselect/custom/custom-profile/system-auth:account required pam_faillock.so {include if "with-faillock"}

Note: The lines may not include {include if "with-faillock"}

- IF - the lines shown above are not returned, refer to the Recommendation "Ensure active authselect profile includes pam modules" to update the authselect profile template files to include the pam_faillock entries before continuing this remediation.

- IF - the lines include {include if "with-faillock"} run the following command to enable the authselect with-faillock feature and update the files in /etc/pam.d to include pam_faillock.so :

# authselect enable-feature with-faillock

- IF - any of the pam_faillock lines exist without {include if "with-faillock"} run the following command to update the files in /etc/pam.d to include pam_faillock.so :

# authselect apply-changes

See Also

https://workbench.cisecurity.org/benchmarks/15287

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.7

Plugin: Unix

Control ID: 33af83292270480effbda07f340fa9ebad2805dcaa53d4339bc49b580024bad3