RHEL-08-020020 - RHEL 8 must log user name information when unsuccessful logon attempts occur.

Information

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.

RHEL 8 can utilize the 'pam_faillock.so' for this purpose. Note that manual changes to the listed files may be overwritten by the 'authselect' program.

From 'Pam_Faillock' man pages: Note that the default directory that 'pam_faillock' uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the 'dir' option.

In RHEL 8.2 the '/etc/security/faillock.conf' file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a 'local_users_only' option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Solution

Configure the operating system to log user name information when unsuccessful logon attempts occur.

Add/Modify the appropriate sections of the '/etc/pam.d/system-auth' and '/etc/pam.d/password-auth' files to match the following lines:

auth required pam_faillock.so preauth dir=/var/log/faillock silent audit deny=3 even_deny_root fail_interval=900 unlock_time=0
auth required pam_faillock.so authfail dir=/var/log/faillock unlock_time=0
account required pam_faillock.so

The 'sssd' service must be restarted for the changes to take effect. To restart the 'sssd' service, run the following command:

$ sudo systemctl restart sssd.service

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_RHEL_8_V2R1_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7a., CAT|II, CCI|CCI-000044, Rule-ID|SV-230342r1017154_rule, STIG-ID|RHEL-08-020020, Vuln-ID|V-230342

Plugin: Unix

Control ID: c87216311ac89471e7c2fbdbb2332af01a77bd058267c7e98e10d36040c78c8c