Vulnerability Discussion
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
Check
Verify that Ubuntu 22.04 LTS utilizes the "pam_faillock" module by using the following command:
$ grep faillock /etc/pam.d/common-auth
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
If the "pam_faillock.so" module is not present in the "/etc/pam.d/common-auth" file, this is a finding.
Verify the "pam_faillock" module is configured to use the following options:
$ sudo grep -Ew 'silent|audit|deny|fail_interval|unlock_time' /etc/security/faillock.conf
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0
If "audit" is commented out, or is missing, this is a finding.
If "silent" is commented out, or is missing, this is a finding.
If "deny" is set to a value greater than "3", is commented out, or is missing, this is a finding.
If "fail_interval" is set to a value greater than "900", is commented out, or is missing, this is a finding.
If "unlock_time" is not set to "0", is commented out, or is missing, this is a finding.
Fix
Configure Ubuntu 22.04 LTS to utilize the "pam_faillock" module.
Add or modify the following lines in the "/etc/pam.d/common-auth" file, below the "auth" definition for "pam_unix.so":
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
Configure the "pam_faillock" module to use the following options.
Add or modify the following lines in the "/etc/security/faillock.conf" file:
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0