fa657903bc
This patch applies pam_faillock restrictions to Red Hat and CentOS servers. It's an optional change since it could cause issues with existing production deployments. Ubuntu doesn't have pam_faillock, but it may be possible to use fail2ban to achieve some of the same goals later. Documentation is included. Implements: blueprint security-rhel7-stig Change-Id: Ib2d22deff2d97786b84a550313f6ca08cf10cef8
1.6 KiB
---id: RHEL-07-010371 status: opt-in - Red Hat Only tag: auth ---
The STIG requires that accounts with excessive failed login attempts are locked. It sets a limit of three failed attempts in a 15 minute interval and these restrictions are applied to all users (including root). Accounts cannot be automatically unlocked for seven days.
This change might cause disruptions in production environments without proper communication to users. Therefore, this change is not applied by default.
Deployers can opt in for the change by setting the following variable:
security_pam_faillock_enable: yesThere are also three configuration options that can be adjusted by setting Ansible variables:
security_pam_faillock_attempts: This many failed login attempts within the specified time interval with trigger the account to lock. (STIG requirement:3attempts)security_pam_faillock_interval: This is the time interval (in seconds) to use when measuring excessive failed login attempts. (STIG requirement:900seconds)security_pam_faillock_deny_root: Set toyesto apply the restriction to the root user or set tonoto exempt the root user from the account locking restrictions. (STIG requirement:yes)security_pam_faillock_unlock_time: This sets the time delay (in seconds) before a locked account is automatically unlocked. (STIG requirement:604800seconds)
Note
Ubuntu does not provide pam_faillock. This change is
only applied to CentOS 7 or Red Hat Enterprise Linux 7 systems.