4.4.3.1.1 Ensure password failed attempts lockout is configured

Information

The deny=<n> option will deny access if the number of consecutive authentication failures for this user during the recent interval exceeds

.

Locking out user IDs after

n

unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Create or edit the following line in /etc/security/faillock.conf setting the deny option to 5 or less:

deny = 5

Run the following script to remove the deny argument from the pam_faillock.so module in the PAM files:

#!/usr/bin/env bash
{
for l_pam_file in system-auth password-auth; do
l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
sed -ri 's/(^s*auths+(requisite|required|sufficient)s+pam_faillock.so.*)(s+denys*=s*S+)(.*$)/14/' "$l_authselect_file"
done
authselect apply-changes
}

See Also

https://workbench.cisecurity.org/benchmarks/15289