{"description": "The pam_faillock.so module must be loaded in preauth in /etc/pam.d/system-auth.", "rationale": "If the pam_faillock.so module is not loaded the system will not correctly lockout accounts to prevent\npassword guessing attacks.", "severity": "medium", "references": {"nist": ["AC-7 (a)"], "srg": ["SRG-OS-000021-GPOS-00005"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the pam_faillock.so module is not present in the \"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before pam_unix.so", "ocil": "Verify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" file:\n\n$ sudo grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.\n\nAdd/Modify the appropriate sections of the \"/etc/pam.d/system-auth\" file to match the following lines:\nNote: The \"preauth\" line must be listed before pam_unix.so.\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must configure the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.", "vuldiscussion": "If the pam_faillock.so module is not loaded, the system will not correctly lockout accounts to prevent password guessing attacks.", "checktext": "Verify the pam_faillock.so module is present in the \"/etc/pam.d/system-auth\" file:\n\n$ grep pam_faillock.so /etc/pam.d/system-auth\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so\n\nIf the pam_faillock.so module is not present in the \"/etc/pam.d/system-auth\" file with the \"preauth\" line listed before pam_unix.so, this is a finding.\n\nIf the system administrator (SA) can demonstrate that the required configuration is contained in a PAM configuration file included or substacked from the system-auth file, this is not a finding.", "fixtext": "Configure Ubuntu 22.04 to include the use of the pam_faillock.so module in the /etc/pam.d/system-auth file.\n\nIf PAM is managed with authselect, enable the feature with the following command:\n\n$ sudo authselect enable-feature with-faillock\n\nOtherwise, add/modify the appropriate sections of the \"/etc/pam.d/system-auth\" file to match the following lines:\nNote: The \"preauth\" line must be listed before pam_unix.so.\n\nauth required pam_faillock.so preauth\nauth required pam_faillock.so authfail\naccount required pam_faillock.so"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure the Use of the pam_faillock.so Module in the /etc/pam.d/system-auth File.", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_password_pam_faillock_system_auth/rule.yml", "template": null}