Title

RHEL 8 must ensure account lockouts persist. (Cat II impact)

Discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. In RHEL 8.2 the "/etc/security/faillock.conf" file was incorporated to centralize the configuration of the pam_faillock.so module. Also introduced is a "local_users_only" option that will only track failed user authentication attempts for local users in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users to allow the centralized platform to solely manage user lockout. From "faillock.conf" man pages: Note that the default directory that "pam_faillock" uses is usually cleared on system boot so the access will be reenabled after system reboot. If that is undesirable a different tally directory must be set with the "dir" option. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Check Content

Note: This check applies to RHEL versions 8.2 or newer. If the system is RHEL version 8.0 or 8.1, this check is not applicable. Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot: $ sudo grep 'dir =' /etc/security/faillock.conf dir = /var/log/faillock If the "dir" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.

Fix Text

Configure the operating system maintain the contents of the faillock directory after a reboot. Add/Modify the "/etc/security/faillock.conf" file to match the following line: dir = /var/log/faillock

Additional Identifiers

Rule ID: SV-230339r743975_rule

Vulnerability ID: V-230339

Group Title: SRG-OS-000021-GPOS-00005

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.