OL08-00-020017 - OL 8 systems, versions 8.2 and above, must ensure account lockouts persist.

Information

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

In OL 8.2, the '/etc/security/faillock.conf' file was incorporated to centralize the configuration of the 'pam_faillock.so' module. Also introduced is a 'local_users_only' option that will only track failed user authentication attempts for local users in '/etc/passwd' and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.

From 'faillock.conf' man pages: Note that the default directory that 'pam_faillock' uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable, a different tally directory must be set with the 'dir' option.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Solution

Configure OL 8 to maintain the contents of the faillock directory after a reboot.

Add/modify the '/etc/security/faillock.conf' file to match the following line:

dir = /var/log/faillock

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_Oracle_Linux_8_V2R2_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., 800-53|AC-7b., CAT|II, CCI|CCI-000044, CCI|CCI-002238, Rule-ID|SV-248659r958388_rule, STIG-ID|OL08-00-020017, Vuln-ID|V-248659

Plugin: Unix

Control ID: c028eb928125f704277379f801c31bd12f86a5e6e86faf9db8bd8224802484a5