{"description": "The pam_faillock module's <tt>local_users_only</tt> parameter controls requirements for\nenforcing failed lockout attempts only for local user accounts and ignoring centralized user\naccount management failed attempt configurations.", "rationale": "The operating system must provide automated mechanisms for supporting account management\nfunctions. Enterprise environments make application account management challenging and\ncomplex. A manual process for account management functions adds the risk of a potential\noversight or other error. Locking out remote accounts may cause unintentional DoS.", "severity": "medium", "references": {"nist": ["AC-2(1)"], "srg": ["SRG-OS-000001-GPOS-00001"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "local_users_only is not uncommented or configured correctly", "ocil": "To check if only local user are impacted by pam_faillock, run the following command:\n<pre>$ grep local_users_only /etc/security/faillock.conf</pre>\nThe output should return <tt>local_users_only</tt> not commented.", "oval_external_content": null, "fixtext": "To enable the <tt>local_users_only</tt> setting in <tt>/etc/security/faillock.conf</tt>,\nfirst enable pam_faillock.so using the following command:\n$ sudo authselect enable-feature with-faillock\n\nThen edit the <tt>/etc/security/faillock.conf</tt> file as follows:\nadd or uncomment the following line:\n<pre>local_users_only</pre>\n\nadd or uncomment the following line:\n<pre>silent</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock\nparameters should be defined in <tt>faillock.conf</tt> file."}, {"management": "Using this rule bypasses pam_faillock's functionality and should be used in cases\nwhere centralized management such as LDAP or Active Directory is in use."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Enforce pam_faillock for Local Accounts Only", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_enforce_local/rule.yml", "template": null}