{"description": "This rule configures the system to lock out the <tt>root</tt> account after a number of\nincorrect login attempts using <tt>pam_faillock.so</tt>.\n\npam_faillock.so module requires multiple entries in pam files. These entries must be carefully\ndefined to work as expected. In order to avoid errors when manually editing these files, it is\nrecommended to use the appropriate tools, such as <tt>authselect</tt> or <tt>authconfig</tt>,\ndepending on the OS version.", "rationale": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking\nthe account.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-6(a)", "AC-7(b)", "IA-5(c)"], "nist-csf": ["PR.AC-7"], "srg": ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"], "anssi": ["R31"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "control_references": {"anssi": ["R31"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"even_deny_root\" option is not set, is missing or commented out", "ocil": "Verify Ubuntu 22.04 is configured to lock the root account after <sub idref=\"var_accounts_passwords_pam_faillock_deny\" />\nunsuccessful logon attempts with the command:\n\n<pre>$ grep even_deny_root /etc/security/faillock.conf</pre>\neven_deny_root", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to lock out the <tt>root</tt> account after a number of incorrect login\nattempts using <tt>pam_faillock.so</tt>, first enable the feature using the following command:\n\n$ sudo authselect enable-feature with-faillock\n\nThen edit the <tt>/etc/security/faillock.conf</tt> file as follows:\nadd or uncomment the following line:\n<pre>even_deny_root</pre>", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock\nparameters should be defined in <tt>faillock.conf</tt> file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must automatically lock the root account until the root account is released by an administrator when three unsuccessful logon attempts occur during a 15-minute time period.", "vuldiscussion": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking the account.", "checktext": "Verify Ubuntu 22.04 is configured to lock the root account after three unsuccessful logon attempts with the command:\n\n$ sudo grep even_deny_root /etc/security/faillock.conf\n\neven_deny_root\n\nIf the \"even_deny_root\" option is not set or is missing or commented out, this is a finding.", "fixtext": "To configure Ubuntu 22.04 to lock out the \"root\" account after a number of incorrect logon attempts using \"pam_faillock.so\", first enable the feature using the following command:\n\n$ sudo authselect enable-feature with-faillock\n\nEdit the \"/etc/security/faillock.conf\" by uncommenting or adding the following line:\n\neven_deny_root"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Configure the root Account for Failed Password Attempts", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny_root/rule.yml", "template": null}