Rule ID
SV-268081r1130954_rule
Version
V1R2
CCIs
CCI-000044, CCI-002238, CCI-000172
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214
Verify that NixOS locks an account after three unsuccessful logon attempts within 15 minutes with the following commands: $ cat /etc/pam.d/login auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock" module, or is missing from this line, this is a finding.
Configure NixOS to lock an account when three unsuccessful logon attempts occur within 15 minutes.
Update the NixOS config, typically stored either in /etc/nixos/configuration.nix or /etc/nixos/flake.nix, to include the following lines:
security.pam.services = let pamfile = ''
auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0
auth sufficient pam_faillock.so authsucc
account required pam_faillock.so
'';
in {
login.text = pkgs.lib.mkDefault pamfile;
sshd.text = pkgs.lib.mkDefault pamfile;
};
Note that the entire pam file must be entered as this pamfile string.
Rebuild and switch to the new NixOS configuration:
$ sudo nixos-rebuild switch