{"description": "This rule ensures the system prevents informative messages from being presented to the user\npertaining to logon information after a number of incorrect login attempts using\n<tt>pam_faillock.so</tt>.\n\npam_faillock.so module requires multiple entries in pam files. These entries must be carefully\ndefined to work as expected. In order to avoid errors when manually editing these files, it is\nrecommended to use the appropriate tools, such as <tt>authselect</tt> or <tt>authconfig</tt>,\ndepending on the OS version.", "rationale": "The pam_faillock module without the silent option will leak information about the existence or\nnon-existence of a user account in the system because the failures are not recorded for unknown\nusers. The message about the user account being locked is never displayed for non-existing user\naccounts allowing the adversary to infer that a particular account exists or not on the system.", "severity": "medium", "references": {"srg": ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"], "stigid": ["UBTU-22-411045"], "stigref": ["SV-260549r958388_rule"]}, "control_references": {"stigid": ["UBTU-22-411045"]}, "components": [], "identifiers": {}, "ocil_clause": "the system shows messages when three unsuccessful logon attempts occur", "ocil": "To ensure that the system prevents messages from being shown when three unsuccessful logon\nattempts occur, run the following command:\n<pre>$ grep silent /etc/security/faillock.conf</pre>\nThe output should show <tt>silent</tt>.", "oval_external_content": null, "fixtext": "To configure the system to prevent messages from being shown when three unsuccessful logon\nattempts occur using <tt>pam_faillock.so</tt>, first enable the faillock feature using the\nfollowing command:\n\n$ sudo authselect enable-feature with-faillock\n\nThen edit the <tt>/etc/security/faillock.conf</tt> file as follows:\nadd or uncomment the following line:\n<pre>silent</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must prevent from showing any messages when unsuccessful logon attempts occur.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock\nparameters should be defined in <tt>faillock.conf</tt> file."}], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Do Not Show System Messages When Unsuccessful Logon Attempts Occur", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_silent/rule.yml", "template": null}