{"description": "This rule ensures that the system lock out accounts using <tt>pam_faillock.so</tt> persist\nafter system reboot. From \"pam_faillock\" man pages:\n<pre>Note that the default directory that \"pam_faillock\" uses is usually cleared on system\nboot so the access will be re-enabled after system reboot. If that is undesirable, a different\ntally directory must be set with the \"dir\" option.</pre>\n\npam_faillock.so module requires multiple entries in pam files. These entries must be carefully\ndefined to work as expected. In order to avoid errors when manually editing these files, it is\nrecommended to use the appropriate tools, such as <tt>authselect</tt> or <tt>authconfig</tt>,\ndepending on the OS version.\n\nThe chosen profile expects the directory to be <tt><sub idref=\"var_accounts_passwords_pam_faillock_dir\" /></tt>.\n\nTo configure the tally directory, add the following line to <tt>/etc/security/faillock.conf</tt>:\n<pre>dir = <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /></pre>", "rationale": "Locking out user accounts after a number of incorrect attempts prevents direct password\nguessing attacks. In combination with the <tt>silent</tt> option, user enumeration attacks\nare also mitigated.", "severity": "medium", "references": {"nist": ["AC-7(b)", "AC-7(a)", "AC-7.1(ii)"], "srg": ["SRG-OS-000021-GPOS-00005", "SRG-OS-000329-GPOS-00128"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"dir\" option is not set to a non-default documented tally log directory, is missing or commented out", "ocil": "To ensure the tally directory is configured correctly, run the following command:\n<pre>$ sudo grep 'dir =' /etc/security/faillock.conf</pre>\nThe output should show that dir is set to something other than \"/var/run/faillock\"", "oval_external_content": null, "fixtext": "To configure Ubuntu 22.04 to persist locked out accounts after reboot using\n<tt>pam_faillock.so</tt>, first enable the feature using the following command:\n$ sudo authselect enable-feature with-faillock\n\nThen edit the <tt>/etc/security/faillock.conf</tt> file as follows:\nadd, uncomment or edit the following line:\n<pre>dir = <sub idref=\"var_accounts_passwords_pam_faillock_dir\" /></pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must ensure account lockouts persist.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock\nparameters should be defined in <tt>faillock.conf</tt> file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure account lockouts persist.", "vuldiscussion": "Having lockouts persist across reboots ensures that account is only unlocked by an administrator. If the lockouts did not persist across reboots, an attacker could simply reboot the system to continue brute force attacks against the accounts on the system.", "checktext": "Verify the \"/etc/security/faillock.conf\" file is configured to use a nondefault faillock directory to ensure contents persist after reboot with the following command:\n\n$ sudo grep -w dir /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nIf the \"dir\" option is not set to a nondefault documented tally log directory or is missing or commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 maintain the contents of the faillock directory after a reboot.\n\nAdd/modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Lock Accounts Must Persist", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_dir/rule.yml", "template": null}