5.3.3.1.2 Ensure password unlock time is configured

Information

unlock_time=<n> - The access will be re-enabled after

seconds after the lock out. The value 0 has the same meaning as value never - the access will not be re-enabled without resetting the faillock entries by the faillock(8) command.

Note:

- The default directory that pam_faillock uses is usually cleared on system boot so the access will be also re-enabled after system reboot. If that is undesirable a different tally directory must be set with the dir option.
- It is usually undesirable to permanently lock out users as they can become easily a target of denial of service attack unless the usernames are random and kept secret to potential attackers.
- The maximum configurable value for unlock_time is 604800

Locking out user IDs after

n

unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Set password unlock time to conform to site policy. unlock_time should be 0 (never), or 900 seconds or greater.

Edit /etc/security/faillock.conf and update or add the following line:

unlock_time = 900

Run the following command: remove the unlock_time argument from the pam_faillock.so module in the PAM files:

# grep -Pl -- 'bpam_faillock.soh+([^#
r]+h+)?unlock_timeb' /usr/share/pam-configs/*

Edit any returned files and remove the unlock_time=<N> argument from the pam_faillock.so line(s):

Impact:

Use of unlock_time=0 may allow an attacker to cause denial of service to legitimate users. This will also require a systems administrator with elevated privileges to unlock the account.

See Also

https://workbench.cisecurity.org/benchmarks/18960