{"description": "The <tt>pam_faillock</tt> PAM module provides the capability to\nlock out user accounts after a number of failed login attempts. Its\ndocumentation is available in\n<tt>/usr/share/doc/pam-VERSION/txts/README.pam_faillock</tt>.\n<br /><br />", "warnings": [{"general": "Locking out user accounts presents the\nrisk of a denial-of-service attack. The lockout policy\nmust weigh whether the risk of such a\ndenial-of-service attack outweighs the benefits of thwarting\npassword guessing attacks."}], "requires": [], "conflicts": [], "values": ["var_accounts_passwords_pam_faillock_deny", "var_accounts_passwords_pam_faillock_dir", "var_accounts_passwords_pam_faillock_fail_interval", "var_accounts_passwords_pam_faillock_root_unlock_time", "var_accounts_passwords_pam_faillock_unlock_time", "var_accounts_passwords_pam_tally2_unlock_time", "var_password_pam_delay", "var_password_pam_remember", "var_password_pam_remember_control_flag", "var_password_pam_tally2"], "groups": {}, "rules": ["account_password_pam_faillock_password_auth", "account_password_pam_faillock_system_auth", "account_password_selinux_faillock_dir", "account_passwords_pam_faillock_audit", "account_passwords_pam_faillock_dir", "accounts_password_pam_pwhistory_enabled", "accounts_password_pam_pwhistory_enforce_for_root", "accounts_password_pam_pwhistory_enforce_root", "accounts_password_pam_pwhistory_remember", "accounts_password_pam_pwhistory_remember_password_auth", "accounts_password_pam_pwhistory_remember_system_auth", "accounts_password_pam_pwhistory_use_authtok", "accounts_password_pam_unix_authtok", "accounts_password_pam_unix_remember", "accounts_passwords_pam_faildelay_delay", "accounts_passwords_pam_faillock_audit", "accounts_passwords_pam_faillock_deny", "accounts_passwords_pam_faillock_deny_root", "accounts_passwords_pam_faillock_dir", "accounts_passwords_pam_faillock_enabled", "accounts_passwords_pam_faillock_enforce_local", "accounts_passwords_pam_faillock_interval", "accounts_passwords_pam_faillock_root_unlock_time", "accounts_passwords_pam_faillock_silent", "accounts_passwords_pam_faillock_unlock_time", "accounts_passwords_pam_faillock_unlock_time_with_zero", "accounts_passwords_pam_tally2", "accounts_passwords_pam_tally2_deny_root", "accounts_passwords_pam_tally2_file", "accounts_passwords_pam_tally2_file_selinux", "accounts_passwords_pam_tally2_unlock_time"], "platform": "system_with_kernel", "platforms": ["system_with_kernel"], "inherited_platforms": [], "cpe_platform_names": ["system_with_kernel"], "title": "Set Lockouts for Failed Password Attempts", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/group.yml"}