Detections
Analytics
5.3.2 Ensure lockout for failed password attempts is configured - password-auth 'auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900'
Information
Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.Solution
Edit the /etc/pam.d/password-auth and /etc/pam.d/system-auth files and add the following pam_faillock.so lines surrounding a pam_unix.so line modify the pam_unix.so is [success=1 default=bad] as listed in both:auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900
auth [success=1 default=bad] pam_unix.so
auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900
See Also
Item Details
Audit Name: CIS Amazon Linux v2.1.0 L1
Category: ACCESS CONTROL
References: 800-53|AC-7a., CSCv6|16.7
Plugin: Unix
Control ID: cefc43f4c06bfda96d3910f14d5b89396f9f78305297f965b28750049cf02fb6