Information
even_deny_root - Root account can become locked as well as regular accounts
root_unlock_time=n - This option implies even_deny_root option. Allow access after n seconds to root account after the account is locked. In case the option is not specified the value is the same as of the unlock_time option.
Locking out user IDs after n unsuccessful consecutive login attempts mitigates brute force password attacks against your systems.
Solution
Edit /etc/security/faillock.conf :
- Remove or update any line containing root_unlock_time - OR - set it to a value of 60 or more
- Update or add the following line:
even_deny_root
Run the following command:
# grep -Pl -- 'bpam_faillock.soh+([^#
r]+h+)?(even_deny_root|root_unlock_time)' /usr/share/pam-configs/*
Edit any returned files and remove the even_deny_root and root_unlock_time arguments from the pam_faillock.so line(s):
Impact:
Use of unlock_time=0 or root_unlock_time=0 may allow an attacker to cause denial of service to legitimate users.