{"description": "This rule configures the system to lock out accounts after a number of incorrect login attempts\nusing <tt>pam_faillock.so</tt>.\npam_faillock.so module requires multiple entries in pam files. These entries must be carefully\ndefined to work as expected.\nEnsure that the file <tt>/etc/security/faillock.conf</tt> contains the following entry:\n<tt>deny = &lt;count&gt;</tt>\nWhere count should be less than or equal to\n<sub idref=\"var_accounts_passwords_pam_faillock_deny\" /> and greater than 0.", "rationale": "By limiting the number of failed logon attempts, the risk of unauthorized system access via\nuser password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking\nthe account.", "severity": "medium", "references": {"cis-csc": ["1", "12", "15", "16"], "cjis": ["5.5.3"], "cobit5": ["DSS05.04", "DSS05.10", "DSS06.10"], "cui": ["3.1.8"], "isa-62443-2009": ["4.3.3.6.1", "4.3.3.6.2", "4.3.3.6.3", "4.3.3.6.4", "4.3.3.6.5", "4.3.3.6.6", "4.3.3.6.7", "4.3.3.6.8", "4.3.3.6.9"], "isa-62443-2013": ["SR 1.1", "SR 1.10", "SR 1.2", "SR 1.5", "SR 1.7", "SR 1.8", "SR 1.9"], "iso27001-2013": ["A.18.1.4", "A.9.2.1", "A.9.2.4", "A.9.3.1", "A.9.4.2", "A.9.4.3"], "nist": ["CM-6(a)", "AC-7(a)"], "nist-csf": ["PR.AC-7"], "ospp": ["FIA_AFL.1"], "pcidss": ["Req-8.1.6"], "srg": ["SRG-OS-000329-GPOS-00128", "SRG-OS-000021-GPOS-00005"], "anssi": ["R31"], "cis": ["5.3.3.1.1"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.4", "8.3"], "stigid": ["UBTU-22-411045"], "stigref": ["SV-260549r958388_rule"]}, "control_references": {"anssi": ["R31"], "cis": ["5.3.3.1.1"], "ism": ["0421", "0422", "0974", "1173", "1401", "1504", "1505", "1546", "1557", "1558", "1559", "1560", "1561"], "pcidss4": ["8.3.4", "8.3"], "stigid": ["UBTU-22-411045"]}, "components": [], "identifiers": {}, "ocil_clause": "the \"deny\" option is not set to \"<sub idref=\"var_accounts_passwords_pam_faillock_deny\" />\"\nor less (but not \"0\"), is missing or commented out", "ocil": "Verify Ubuntu 22.04 is configured to lock an account after <sub idref=\"var_accounts_passwords_pam_faillock_deny\" />\nunsuccessful logon attempts with the command:\n\n<pre>$ grep 'deny =' /etc/security/faillock.conf</pre>\ndeny = <sub idref=\"var_accounts_passwords_pam_faillock_deny\" />.", "oval_external_content": null, "fixtext": "Configure Ubuntu 22.04 to lock an account when <sub idref=\"var_accounts_passwords_pam_faillock_deny\" />\nunsuccessful logon attempts occur. First enable the feature using the following command:\n\n$ sudo authselect enable-feature with-faillock\n\nThen edit the <tt>/etc/security/faillock.conf</tt> file as follows:\ndeny = <sub idref=\"var_accounts_passwords_pam_faillock_deny\" />", "checktext": "", "vuldiscussion": "", "srg_requirement": "Ubuntu 22.04 must automatically lock an account when three unsuccessful logon attempts occur.", "warnings": [{"general": "If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation\nwill also use <tt>authselect</tt> tool. However, if any manual modification was made in\nPAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be\naborted in order to preserve intentional changes. In this case, an informative message will\nbe shown in the remediation report.\nIf the system supports the <tt>/etc/security/faillock.conf</tt> file, the pam_faillock\nparameters should be defined in <tt>faillock.conf</tt> file."}], "conflicts": [], "requires": [], "policy_specific_content": {"stig": {"srg_requirement": "Ubuntu 22.04 must automatically lock an account when three unsuccessful logon attempts occur.", "vuldiscussion": "By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account.", "checktext": "Verify Ubuntu 22.04 is configured to lock an account after three unsuccessful logon attempts with the command:\n\n$ grep 'deny =' /etc/security/faillock.conf\n\ndeny = 3\n\nIf the \"deny\" option is not set to \"3\" or less (but not \"0\"), is missing or commented out, this is a finding.", "fixtext": "Configure Ubuntu 22.04 to lock an account when three unsuccessful logon attempts occur.\n\nAdd/Modify the \"/etc/security/faillock.conf\" file to match the following line:\n\ndeny = 3"}}, "platform": "package[pam]", "platforms": ["package[pam]"], "sce_metadata": {}, "inherited_platforms": ["system_with_kernel"], "cpe_platform_names": ["package_pam"], "inherited_cpe_platform_names": ["system_with_kernel"], "bash_conditional": null, "fixes": {}, "title": "Lock Accounts After Failed Password Attempts", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_faillock_deny/rule.yml", "template": {"name": "pam_account_password_faillock", "vars": {"prm_name": "deny", "prm_regex_conf": "^[\\s]*deny[\\s]*=[\\s]*([0-9]+)", "prm_regex_pamd": "^[\\s]*auth[\\s]+.+[\\s]+pam_faillock.so[\\s]+[^\\n]*deny=([0-9]+)", "ext_variable": "var_accounts_passwords_pam_faillock_deny", "description": "Lockout account after failed login attempts.", "variable_upper_bound": "use_ext_variable", "variable_lower_bound": 1}, "backends": {}}}