5.3.2 Ensure lockout for failed password attempts is configured

Information

Lock out users after

n

unsuccessful consecutive login attempts.

These settings are commonly configured with the pam_faillock.so module. Some environments may continue using the pam_tally2.so module, where this older method may simplify automation in mixed environments.

Set the lockout number in deny= to the policy in effect at your site.

unlock_time=_n_ is the number of seconds the account remains locked after the number of attempts configured in deny=_n_ has been met.

Notes:

-

Additional module options may be set, recommendation only covers those listed here.

-

If you want to require the administrator to unlock accounts, leave off the unlock_time option

-

The default location for attempted accesses is recorded in /var/log/tallylog

-

Use of the "audit" keyword may log credentials in the case of user error during authentication. This risk should be evaluated in the context of the site policies of your organization.

-

You may also lock out root, this should be considered carefully due to the ability to have this setting lock all access to the system

-

As an option on the same line:

auth required pam_tally2.so deny=5 even_deny_root unlock_time=900
-

To define a different lockout time for root:

auth required pam_tally2.so deny=5 root_unlock_time=120 unlock_time=900

-

If a user has been locked out because they have reached the maximum consecutive failure count defined by deny= in the pam_tally2.so module, the user can be unlocked by issuing following command. This command sets the failed count to 0, effectively unlocking the user.

# pam_tally2 -u <username> --reset

Locking out user IDs after

n

unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.

Solution

Modify the deny= and unlock_time= parameters to conform to local site policy, Not to be greater than deny=5 :

Edit the file /etc/pam.d/login and add the following line:

auth required pam_tally2.so deny=5 onerr=fail unlock_time=900

Note: The ordering on the lines is important. The additional line needs to below the line auth required pam_env.so and above all password validation lines.

Example:

auth required pam_env.so
auth required pam_tally2.so deny=5 onerr=fail unlock_time=900
auth sufficient pam_unix.so nullok try_first_pass
auth required pam_deny.so

Edit the /etc/pam.d/common-account file and add the following pam_tally2.so line:

account required pam_tally2.so

See Also

https://workbench.cisecurity.org/benchmarks/8498

Item Details

Category: CONFIGURATION MANAGEMENT, SYSTEM AND SERVICES ACQUISITION

References: 800-53|CM-2, 800-53|CM-6, 800-53|CM-7, 800-53|CM-7(1), 800-53|CM-9, 800-53|SA-3, 800-53|SA-8, 800-53|SA-10, CSCv7|16.7

Plugin: Unix

Control ID: 38ce4b16a10dc79696ebaf5daf262ce76150ee12fae1ed98748b8426feb0da68