Profile Applicability:
• Level 1
Description:
Configuring account lockout after a specified number of failed password attempts helps prevent brute-force attacks by temporarily disabling accounts that exceed the threshold of unsuccessful logins.
Rationale:
Implementing lockout mechanisms reduces the risk of unauthorized access through repeated guessing and enforces stricter authentication controls.
Impact:
Pros:
Mitigates brute-force and credential stuffing attacks.
Protects user accounts by enforcing lockout policies.
Cons:
May cause legitimate users to be locked out due to mistyped passwords.
Default Value:
Account lockout is often not configured by default and must be explicitly enabled.
Pre-requisites:
Root or sudo privileges to configure PAM modules like pam_faillock.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration for lockout settings (e.g., in /etc/pam.d/system-auth and /etc/pam.d/password-auth):
grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
Verify deny, unlock_time, and related parameters are set.
Implementation Plan:
Using Linux command line:
- Configure pam_faillock in PAM configuration files with desired lockout policy, for example:
auth required pam_faillock.so preauth silent deny=5 unlock_time=900 auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900 account required pam_faillock.so
Save changes.
Backout Plan:
Using Linux command line:
Remove or adjust pam_faillock settings if needed.
Test authentication and lockout behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_faillock Manual