UBTU-16-010291 - Accounts on the Ubuntu operating system that are subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period - unlock_time

Information

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Solution

Configure the Ubuntu operating system to automatically lock an account for the maximum configurable period when three unsuccessful logon attempts are made by appending the following lines to the 'etc/pam.d/password-auth' or '/etc/pam.d/system-auth' files'

auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=900
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=900
account required pam_faillock.so

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_CAN_Ubuntu_16-04_LTS_V2R3_STIG.zip

Item Details

Category: ACCESS CONTROL

References: 800-53|AC-7b., CAT|II, CCI|CCI-002238, Rule-ID|SV-214968r610931_rule, STIG-ID|UBTU-16-010291, STIG-Legacy|SV-101001, STIG-Legacy|V-90351, Vuln-ID|V-214968

Plugin: Unix

Control ID: c98433bfbc030e4e7665577598327252092d0c616eea7e9dff2abcf86f1639c9