SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.^M
^M
Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 7</dc:title>DISA</dc:publisher>DPMS Target</dc:type>Red Hat 7</dc:subject>2777</dc:identifier>CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.^M
^M
Modify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:^M
^M
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800^M
auth sufficient pam_unix.so try_first_pass^M
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800^M
^M
and run the "authconfig" command.Verify the operating system automatically locks an account for the maximum period for which the system can be configured.^M
^M
Check that the system locks an account for the maximum period after three unsuccessful logon attempts within a period of 15 minutes with the following command:^M
^M
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800^M
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800^M
^M
If the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.
Group id="V-71943">
grep pam_faillock.so /etc/pam.d/password-auth-ac^M
auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800^M auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800^M ^M If the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.