|
| 1 | +documentation_complete: true |
| 2 | + |
| 3 | +title: Ensure Root Account Lockout on Failed Password Attempts |
| 4 | + |
| 5 | +description: >- |
| 6 | + This rule configures the system to include the <tt>root</tt> account in the |
| 7 | + account lockout policy using <tt>pam_faillock.so</tt>. The system must have |
| 8 | + either the <tt>even_deny_root</tt> option enabled or <tt>root_unlock_time</tt> |
| 9 | + set to <tt>{{{xccdf_value("var_accounts_passwords_pam_faillock_root_unlock_time") }}}</tt> |
| 10 | + seconds or greater in <tt>{{{ pam_faillock_conf_path }}}</tt>. |
| 11 | +
|
| 12 | + pam_faillock.so module requires multiple entries in pam files. These entries must be carefully |
| 13 | + defined to work as expected. In order to avoid errors when manually editing these files, it is |
| 14 | + recommended to use the appropriate tools, such as <tt>authselect</tt> or <tt>authconfig</tt>, |
| 15 | + depending on the OS version. |
| 16 | +
|
| 17 | +rationale: >- |
| 18 | + By limiting the number of failed logon attempts, the risk of unauthorized system access via |
| 19 | + user password guessing, also known as brute-forcing, is reduced. Limits are imposed by locking |
| 20 | + the account. |
| 21 | +
|
| 22 | +severity: medium |
| 23 | + |
| 24 | +identifiers: |
| 25 | + cce@rhel8: CCE-86629-3 |
| 26 | + cce@rhel9: CCE-86630-1 |
| 27 | + cce@rhel10: CCE-86631-9 |
| 28 | + |
| 29 | +platform: package[pam] |
| 30 | + |
| 31 | +ocil_clause: 'neither "even_deny_root" is set nor "root_unlock_time" is set to {{{ xccdf_value("var_accounts_passwords_pam_faillock_root_unlock_time") }}} or greater' |
| 32 | + |
| 33 | +ocil: >- |
| 34 | + Verify {{{ full_name }}} is configured to include the root account in the account lockout |
| 35 | + policy with the command: |
| 36 | +
|
| 37 | + <pre>$ grep -E 'even_deny_root|root_unlock_time' {{{ pam_faillock_conf_path }}}</pre> |
| 38 | +
|
| 39 | + The output should show either: |
| 40 | + <pre>even_deny_root</pre> |
| 41 | + or: |
| 42 | + <pre>root_unlock_time = <value></pre> |
| 43 | + where <tt><value></tt> is <tt>{{{ xccdf_value("var_accounts_passwords_pam_faillock_root_unlock_time") }}}</tt> or greater. |
| 44 | +
|
| 45 | +warnings: |
| 46 | + - general: >- |
| 47 | + If the system relies on <tt>authselect</tt> tool to manage PAM settings, the remediation |
| 48 | + will also use <tt>authselect</tt> tool. However, if any manual modification was made in |
| 49 | + PAM files, the <tt>authselect</tt> integrity check will fail and the remediation will be |
| 50 | + aborted in order to preserve intentional changes. In this case, an informative message will |
| 51 | + be shown in the remediation report. |
| 52 | + If the system supports the <tt>{{{ pam_faillock_conf_path }}}</tt> file, the pam_faillock |
| 53 | + parameters should be defined in <tt>faillock.conf</tt> file. |
0 commit comments