Profile Applicability:
• Level 1
Description:
The pam_faillock module provides authentication failure tracking and account locking functionality. Enabling this module helps protect against brute-force attacks by locking user accounts after a configurable number of failed login attempts.
Rationale:
Using pam_faillock enhances security by limiting repeated failed login attempts, thus preventing unauthorized access via password guessing.
Impact:
Pros:
Mitigates brute-force and credential stuffing attacks.
Protects user accounts by locking after failed attempts.
Cons:
May result in legitimate users being locked out if thresholds are too low.
Default Value:
The pam_faillock module may not be enabled by default and requires configuration.
Pre-requisites:
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files (e.g., /etc/pam.d/system-auth, /etc/pam.d/password-auth) for pam_faillock usage:
grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
Verify that pam_faillock is present and properly configured.
Implementation Plan:
Using Linux command line:
- Edit PAM configuration files to enable pam_faillock, for example, add:
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 account required pam_faillock.so
Save changes.
Backout Plan:
Using Linux command line:
Remove or comment out pam_faillock entries if necessary.
Test authentication behavior after changes.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_faillock Manual