ComplianceAsCode / content

Security automation content in SCAP, Bash, Ansible, and other formats
https://complianceascode.readthedocs.io/en/latest/
Other
2.18k stars 695 forks source link

needs mapping/rule: SRG-OS-000329-GPOS-00128, SV-86567r2_rule, RHEL-07-010320 (PAM unlock_time) #1826

Closed shawndwells closed 7 years ago

shawndwells commented 7 years ago

Group id="V-71943">SRG-OS-000329-GPOS-00128<GroupDescription></GroupDescription>RHEL-07-010320Accounts subject to three unsuccessful logon attempts within 15 minutes must be locked for the maximum configurable period.<VulnDiscussion>By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.^M ^M Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>DPMS Target Red Hat 7</dc:title>DISA</dc:publisher>DPMS Target</dc:type>Red Hat 7</dc:subject>2777</dc:identifier>CCI-002238Configure the operating system to lock an account for the maximum period when three unsuccessful logon attempts in 15 minutes are made.^M ^M Modify the first three lines of the auth section of the "/etc/pam.d/system-auth-ac" and "/etc/pam.d/password-auth-ac" files to match the following lines:^M ^M auth required pam_faillock.so preauth silent audit deny=3 even_deny_root fail_interval=900 unlock_time=604800^M auth sufficient pam_unix.so try_first_pass^M auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root fail_interval=900 unlock_time=604800^M ^M and run the "authconfig" command.Verify the operating system automatically locks an account for the maximum period for which the system can be configured.^M ^M Check that the system locks an account for the maximum period after three unsuccessful logon attempts within a period of 15 minutes with the following command:^M ^M

grep pam_faillock.so /etc/pam.d/password-auth-ac^M

auth required pam_faillock.so preauth silent audit deny=3 even_deny_root unlock_time=604800^M auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=604800^M ^M If the "unlock_time" setting is greater than "604800" on both lines with the "pam_faillock.so" module name or is missing from a line, this is a finding.</Group

shawndwells commented 7 years ago

maps to accounts_passwords_pam_faillock_unlock_time