5.3.3.1.3 Ensure password failed attempts lockout includes root account

Information

even_deny_root - Root account can become locked as well as regular accounts

root_unlock_time=n - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option.

Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Edit /etc/security/faillock.conf :

- Remove or update any line containing root_unlock_time - OR - set it to a value of 60 or more
- Update or add the following line:

even_deny_root

Run the following script to remove the even_deny_root and root_unlock_time arguments from the pam_faillock.so module in the PAM files:

#!/usr/bin/env bash
{
for l_pam_file in system-auth password-auth; do
l_authselect_file="/etc/authselect/$(head -1 /etc/authselect/authselect.conf | grep 'custom/')/$l_pam_file"
sed -ri 's/(^s*auths+(.*)s+pam_faillock.so.*)(s+even_deny_root)(.*$)/14/' "$l_authselect_file"
sed -ri 's/(^s*auths+(.*)s+pam_faillock.so.*)(s+root_unlock_times*=s*S+)(.*$)/14/' "$l_authselect_file"
done
authselect apply-changes
}
``

Impact:

Use of unlock_time=0 or root_unlock_time=0 may allow an attacker to cause denial of service to legitimate users.

See Also

https://workbench.cisecurity.org/benchmarks/18210