{"description": "This rule configures the system to lock out accounts during a specified time period after a\nnumber of incorrect login attempts using pam_faillock.so.\n\nEnsure that the file /etc/security/faillock.conf contains the following entry:\nunlock_time=<interval-in-seconds> where\ninterval-in-seconds is or greater.\n\npam_faillock.so module requires multiple entries in pam files. These entries must be carefully\ndefined to work as expected. In order to avoid any errors when manually editing these files,\nit is recommended to use the appropriate tools, such as authselect or authconfig,\ndepending on the OS version.\n\nIf unlock_time is set to 0, manual intervention by an administrator is required\nto unlock a user. This should be done using the faillock tool.", "rationale": "By limiting the number of failed logon attempts the risk of unauthorized system\naccess via user password guessing, otherwise known as brute-forcing, is reduced.\nLimits are imposed by locking the account.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cjis": ["5.5.3"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "cui": ["3.1.8"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-6(a)", "AC-7(b)"], "nist-csf": ["PR.AC-7"], "ospp": ["FIA_AFL.1"], "pcidss": ["Req-8.1.7"], "srg": ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"], "anssi": ["R31"], "cis": ["5.3.3.1.2"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.4", "8.3"], "stigid": ["UBTU-22-411045"], "stigref": ["SV-260549r958388_rule"]}, "control_references": {"anssi": ["R31"], "cis": ["5.3.3.1.2"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.4", "8.3"], "stigid": ["UBTU-22-411045"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"unlock_time\" option is not set to \"\",\nthe line is missing, or commented out", "ocil": "Verify Ubuntu 22.04 is configured to lock an account until released by an administrator\nafter unsuccessful logon\nattempts with the command:\n\n
$ grep 'unlock_time =' /etc/security/faillock.conf
\nunlock_time = ", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to lock an account until released by an administrator after\n unsuccessful logon attempts with the command:\n\n$ sudo authselect enable-feature with-faillock\n\nThen edit the /etc/security/faillock.conf file as follows:\n
unlock_time =
", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must maintain an account lock until the locked account is released by an administrator.", "warnings": [{"general": "If the system supports the new /etc/security/faillock.conf file but the\npam_faillock.so parameters are defined directly in /etc/pam.d/system-auth and\n/etc/pam.d/password-auth, the remediation will migrate the unlock_time parameter\nto /etc/security/faillock.conf to ensure compatibility with authselect tool.\nThe parameters deny and fail_interval, if used, also have to be migrated\nby their respective remediation."}, {"general": "If the system relies on authselect tool to manage PAM settings, the remediation\nwill also use authselect tool. However, if any manual modification was made in\nPAM files, the authselect integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the /etc/security/faillock.conf file, the pam_faillock\nparameters should be defined in faillock.conf file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must maintain an account lock until the locked account is released by an administrator.", "vuldiscussion": "By limiting the number of failed logon attempts the risk of unauthorized system\naccess via user password guessing, otherwise known as brute-forcing, is reduced.\nLimits are imposed by locking the account.", "checktext": "Verify Ubuntu 22.04 is configured to lock an account until released by an administrator after three unsuccessful logon attempts with the command:\n\n$ grep 'unlock_time =' /etc/security/faillock.conf\n\nunlock_time = 0\n\nIf the \"unlock_time\" option is not set to \"0\", the line is missing, or commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to lock an account until released by an administrator after three unsuccessful logon attempts with the command:\n\n$ authselect enable-feature with-faillock\n\nThen edit the \"/etc/security/faillock.conf\" file as follows:\n\nunlock_time = 0"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Set Lockout Time for Failed Password Attempts", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_unlock_time/rule.yml", "template": {"name": "pam_account_password_faillock", "vars": {"prm_name": "unlock_time", "prm_regex_conf": "^[\\s]*unlock_time[\\s]*=[\\s]*([0-9]+)", "prm_regex_pamd": "^[\\s]*auth[\\s]+.+[\\s]+pam_faillock.so[\\s]+[^\\n]*unlock_time=([0-9]+)", "ext_variable": "var_accounts_passwords_pam_faillock_unlock_time", "description": "The unlock time after number of failed logins should be set correctly.", "variable_lower_bound": "use_ext_variable"}, "backends": {}}}