Profile Applicability:
• Level 1
Description:
Configuring the password unlock time determines how long a user account remains locked after exceeding the failed login attempt threshold. Setting an appropriate unlock time balances security and usability by preventing prolonged denial of access while mitigating brute-force attacks.
Rationale:
An effective unlock time limits the window of exposure from repeated failed login attempts while allowing legitimate users to regain access without administrative intervention.
Impact:
Pros:
Mitigates risks from brute-force attacks.
Reduces administrative overhead by enabling automatic unlock.
Cons:
Setting too short a time may reduce security effectiveness.
Setting too long a time may inconvenience legitimate users.
Default Value:
Unlock time is often not configured by default and requires explicit setting.
Pre-requisites:
Root or sudo privileges to configure PAM modules such as pam_faillock.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files for unlock time setting, e.g., in /etc/pam.d/system-auth and /etc/pam.d/password-auth:
grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
Verify that unlock_time parameter is set and reasonable.
Implementation Plan:
Using Linux command line:
- Configure pam_faillock with an appropriate unlock time, for example:
auth required pam_faillock.so preauth silent deny=5 unlock_time=900 auth [default=die] pam_faillock.so authfail deny=5 unlock_time=900 account required pam_faillock.so
Save changes to PAM configuration files.
Backout Plan:
Using Linux command line:
Remove or adjust unlock_time settings if necessary.
Test lockout and unlock behavior.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_faillock Manual