Profile Applicability:
• Level 1
Description:
Configuring the password failed attempts lockout to include the root account ensures that even the root user is locked out after a specified number of failed login attempts. This prevents brute-force attacks targeting the most privileged account.
Rationale:
Including the root account in lockout policies reduces the risk of unauthorized access and enhances overall system security by protecting the root user from repeated failed login attempts.
Impact:
Pros:
Enhances security for the root account.
Helps prevent brute-force attacks on critical accounts.
Cons:
Risk of accidental lockout of the root account if password is forgotten or mistyped.
Default Value:
Lockout policies may exclude the root account by default and require explicit configuration to include it.
Pre-requisites:
grep pam_faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
Root or sudo privileges to modify PAM configuration files.
Remediation:
Test Plan:
Using Linux command line:
- Check PAM configuration files (e.g., /etc/pam.d/system-auth, /etc/pam.d/password-auth) for pam_faillock and the presence of even_deny_root option:
Verify that even_deny_root is included to enforce lockout on the root account.
Implementation Plan:
Using Linux command line:
- Edit PAM configuration files to include even_deny_root in pam_faillock module lines, for example:
auth required pam_faillock.so preauth audit silent deny=5 unlock_time=900 even_deny_root auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root account required pam_faillock.so
Save the changes.
Backout Plan:
Using Linux command line:
Remove the even_deny_root option if needed.
Test authentication and root access functionality.
References:
CIS Amazon Linux 2 Benchmark v3.0.0
pam_faillock Manual