5.3.3 Ensure authselect includes with-faillock - system-auth account required

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

The pam_faillock.so module maintains a list of failed authentication attempts per user during a specified interval and locks the account in case there were more than deny consecutive failed authentications. It stores the failure records into per-user files in the tally directory

Rationale:

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Run the following command to include the with-faillock option

# authselect select <PROFILE NAME> with-faillock

Example:

# authselect select custom/custom-profile with-sudo with-faillock without-nullok

See Also

https://workbench.cisecurity.org/files/3366