Title

NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period. (Cat II impact)

Discussion

By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214

Check Content

Verify that NixOS locks an account after three unsuccessful login attempts within 15 minutes with the following commands: $ cat /etc/pam.d/login auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock" module, or is missing from this line, this is a finding.

Fix Text

Configure NixOS to lock an account when three unsuccessful login attempts occur within 15 minutes. Modify /etc/nixos/configuration.nix to include the following lines: security.pam.services = let pamfile = '' auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_faillock.so authsucc account required pam_faillock.so ''; in { login.text = pkgs.lib.mkDefault pamfile; sshd.text = pkgs.lib.mkDefault pamfile; }; Note that the entire pam file must be entered as this pamfile string. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch

Additional Identifiers

Rule ID: SV-268081r1039549_rule

Vulnerability ID: V-268081

Group Title: SRG-OS-000021-GPOS-00005

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.