The Ubuntu operating system must be configured so that three consecutive invalid logon attempts by a user automatically locks the account until released by an administrator.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-219166	UBTU-18-010033	SV-219166r853369_rule		Medium

Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000329-GPOS-00128

STIG	Date
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide	2023-09-08

Details

Check Text ( C-20891r802353_chk )
Verify that the Ubuntu operating system utilizes the "pam_faillock" module with the following command: $ grep faillock /etc/pam.d/common-auth auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc If the pam_faillock.so module is not present in the "/etc/pam.d/common-auth" file, this is a finding. Verify the pam_faillock module is configured to use the following options: $ sudo egrep 'silent\|audit\|deny\|fail_interval\| unlock_time' /etc/security/faillock.conf audit silent deny = 3 fail_interval = 900 unlock_time = 0 If the "silent" keyword is missing or commented out, this is a finding. If the "audit" keyword is missing or commented out, this is a finding. If the "deny" keyword is missing, commented out, or set to a value greater than 3, this is a finding. If the "fail_interval" keyword is missing, commented out, or set to a value greater than 900, this is a finding. If the "unlock_time" keyword is missing, commented out, or is not set to 0, this is a finding.

Check Text ( C-20891r802353_chk )

Verify that the Ubuntu operating system utilizes the "pam_faillock" module with the following command:
$ grep faillock /etc/pam.d/common-auth

auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

If the pam_faillock.so module is not present in the "/etc/pam.d/common-auth" file, this is a finding.

Verify the pam_faillock module is configured to use the following options:
$ sudo egrep 'silent|audit|deny|fail_interval| unlock_time' /etc/security/faillock.conf

audit
silent
deny = 3
fail_interval = 900
unlock_time = 0

If the "silent" keyword is missing or commented out, this is a finding.
If the "audit" keyword is missing or commented out, this is a finding.
If the "deny" keyword is missing, commented out, or set to a value greater than 3, this is a finding.
If the "fail_interval" keyword is missing, commented out, or set to a value greater than 900, this is a finding.
If the "unlock_time" keyword is missing, commented out, or is not set to 0, this is a finding.

Fix Text (F-20890r802354_fix)
Configure the Ubuntu operating system to utilize the "pam_faillock" module. Edit the /etc/pam.d/common-auth file. Add the following lines below the "auth" definition for pam_unix.so: auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options: Edit the /etc/security/faillock.conf file and add/update the following keywords and values: audit silent deny = 3 fail_interval = 900 unlock_time = 0

Fix Text (F-20890r802354_fix)

Configure the Ubuntu operating system to utilize the "pam_faillock" module.

Edit the /etc/pam.d/common-auth file.

Add the following lines below the "auth" definition for pam_unix.so:
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc

Configure the "pam_faillock" module to use the following options:

Edit the /etc/security/faillock.conf file and add/update the following keywords and values:
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0