← Back to Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

V-282365

CAT II (Medium)

TOSS 5 must configure the use of the pam_faillock.so module in the /etc/pam.d/password-auth file.

Rule ID

SV-282365r1200075_rule

STIG

Tri-Lab Operating System Stack (TOSS) 5 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-000044

Discussion

If the "pam_faillock.so" module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.

Check Content

Verify the "pam_faillock.so" module is present in the "/etc/pam.d/password-auth" file:

$ grep pam_faillock.so /etc/pam.d/password-auth

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so

If the "pam_faillock.so" module is not present in the "/etc/pam.d/password-auth" file with the "preauth" line listed before pam_unix.so, this is a finding.

Fix Text

Configure TOSS 5 to include the use of the "pam_faillock.so" module in the "/etc/pam.d/password-auth" file.

Add/modify the appropriate sections of the "/etc/pam.d/password-auth" file to match the following lines:

Note: The "preauth" line must be listed before pam_unix.so.

auth required pam_faillock.so preauth
auth required pam_faillock.so authfail
account required pam_faillock.so