{"description": "Utilizing pam_faillock.so, the fail_interval directive configures the system\nto lock out an account after a number of incorrect login attempts within a specified time\nperiod.\n\nEnsure that the file /etc/security/faillock.conf contains the following entry:\nfail_interval = <interval-in-seconds> where interval-in-seconds is or greater.", "rationale": "By limiting the number of failed logon attempts the risk of unauthorized system\naccess via user password guessing, otherwise known as brute-forcing, is reduced.\nLimits are imposed by locking the account.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-6(a)", "AC-7(a)"], "nist-csf": ["PR.AC-7"], "ospp": ["FIA_AFL.1"], "srg": ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"], "anssi": ["R31"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "stigid": ["UBTU-22-411045"], "stigref": ["SV-260549r958388_rule"]}, "control_references": {"anssi": ["R31"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "stigid": ["UBTU-22-411045"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"fail_interval\" option is not set to \"\"\nor less (but not \"0\"), the line is commented out, or the line is missing", "ocil": "To ensure the failed password attempt policy is configured correctly, run the following command:\n\n
$ grep fail_interval /etc/security/faillock.conf
\nThe output should show fail_interval = <interval-in-seconds> where interval-in-seconds is or greater.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to lock out an account after a number of incorrect login attempts\nwithin 15 minutes using pam_faillock.so. First enable the feature using the following\ncommand:\n\n$ sudo authselect enable-feature with-faillock\n\nThen edit the /etc/security/faillock.conf file as follows:\n
fail_interval =
", "checktext": "Verify Ubuntu 22.04 locks an account after \nunsuccessful logon attempts within a period of 15 minutes with the following command:\n\nNote: If the System Administrator demonstrates the use of an approved centralized account\nmanagement method that locks an account after three unsuccessful logon attempts within a\nperiod of 15 minutes, this requirement is not applicable.\n\n$ grep fail_interval /etc/security/faillock.conf\n\n
fail_interval = 900
", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.", "warnings": [{"general": "If the system relies on authselect tool to manage PAM settings, the remediation\nwill also use authselect tool. However, if any manual modification was made in\nPAM files, the authselect integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the /etc/security/faillock.conf file, the pam_faillock\nparameters should be defined in faillock.conf file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must automatically lock an account when three unsuccessful logon attempts occur during a 15-minute time period.", "vuldiscussion": "By limiting the number of failed logon attempts the risk of unauthorized system\naccess via user password guessing, otherwise known as brute-forcing, is reduced.\nLimits are imposed by locking the account.", "checktext": "Verify Ubuntu 22.04 locks an account after three unsuccessful logon attempts within a period of 15 minutes with the following command:\n\nNote: If the System Administrator demonstrates the use of an approved centralized account management method that locks an account after three unsuccessful logon attempts within a period of 15 minutes, this requirement is not applicable.\n\n$ grep fail_interval /etc/security/faillock.conf\n\nfail_interval = 900\n\nIf the \"fail_interval\" option is not set to \"900\" or less (but not \"0\"), the line is commented out, or the line is missing, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to lock out the \"root\" account after a number of incorrect login attempts within 15 minutes using \"pam_faillock.so\", first enable the feature using the following command:\n\n$ authselect enable-feature with-faillock\n\nThen edit the \"/etc/security/faillock.conf\" file as follows:\n\nfail_interval = 900"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Interval For Counting Failed Password Attempts", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_interval/rule.yml", "template": {"name": "pam_account_password_faillock", "vars": {"prm_name": "fail_interval", "prm_regex_conf": "^[\\s]*fail_interval[\\s]*=[\\s]*([0-9]+)", "prm_regex_pamd": "^[\\s]*auth[\\s]+.+[\\s]+pam_faillock.so[\\s]+[^\\n]*fail_interval=([0-9]+)", "ext_variable": "var_accounts_passwords_pam_faillock_fail_interval", "description": "The number of allowed failed logins should be set correctly.", "variable_lower_bound": "use_ext_variable"}, "backends": {}}}