5.4.2 Ensure authselect includes with-faillock

Information

The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Run the following commands to include the with-faillock option to the current authselect profile:

# authselect enable-feature with-faillock
# authselect apply-changes

See Also

https://workbench.cisecurity.org/files/3796

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.7

Plugin: Unix

Control ID: f13a9f7da6161ae46e7e323d02e8e22d69f7ef1797110058dfe55de30e233885