{"description": "By setting a `dir` in the faillock configuration account lockouts will persist across reboots.", "rationale": "Having lockouts persist across reboots ensures that account is only unlocked by an administrator.\nIf the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.\n", "severity": "medium", "references": {"nist": ["AC-7 (ia)"]}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "the \"dir\" option is not set to a non-default documented tally log directory, is missing or commented out", "ocil": "Verify the \"/etc/security/faillock.conf\" file is configured use a non-default faillock directory to ensure contents persist after reboot:\n\n$ sudo grep 'dir =' /etc/security/faillock.conf\n\ndir = /var/log/faillock", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 maintain the contents of the faillock directory after a reboot.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must ensure account lockouts persist.", "warnings": [{"general": "This rule is deprecated in favor of the <code>accounts_passwords_pam_faillock_dir</code> rule.Please consider replacing this rule in your files as it is not expected to receive\nupdates as of version <code>0.1.65</code>."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must ensure account lockouts persist.", "vuldiscussion": "Having lockouts persist across reboots ensures that account is only unlocked by an administrator.\nIf the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.", "checktext": "Verify the \"/etc/security/faillock.conf\" file is configured use a non-default faillock directory to ensure contents persist after reboot with the following command:\n\n$ grep 'dir =' /etc/security/faillock.conf\n\ndir = /var/log/faillock\n\nIf the \"dir\" option is not set to a non-default documented tally log directory, is missing or commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 maintain the contents of the faillock directory after a reboot.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndir = /var/log/faillock"}}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": [], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Account Lockouts Must Persist", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/account_passwords_pam_faillock_dir/rule.yml", "template": null}