Vulnerability Discussion

By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.

Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128

Check

Verify that Ubuntu 22.04 LTS utilizes the "pam_faillock" module by using the following command:

$ grep faillock /etc/pam.d/common-auth

auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

If the "pam_faillock.so" module is not present in the "/etc/pam.d/common-auth" file, this is a finding.

Verify the "pam_faillock" module is configured to use the following options:

$ sudo grep -Ew 'silent|audit|deny|fail_interval|unlock_time' /etc/security/faillock.conf
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0

If "audit" is commented out, or is missing, this is a finding.

If "silent" is commented out, or is missing, this is a finding.

If "deny" is set to a value greater than "3", is commented out, or is missing, this is a finding.

If "fail_interval" is set to a value greater than "900", is commented out, or is missing, this is a finding.

If "unlock_time" is not set to "0", is commented out, or is missing, this is a finding.

Fix

Configure Ubuntu 22.04 LTS to utilize the "pam_faillock" module.

Add or modify the following lines in the "/etc/pam.d/common-auth" file, below the "auth" definition for "pam_unix.so":

auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

Configure the "pam_faillock" module to use the following options.

Add or modify the following lines in the "/etc/security/faillock.conf" file:

audit
silent
deny = 3
fail_interval = 900
unlock_time = 0