dccce1d5cc
This patch gets the docs adjusted to work with the new RHEL 7 STIG version 1 release. The new STIG release has changed all of the numbering, but it maintains a link to (most) of the old STIG IDs in the XML. Closes-bug: 1676865 Change-Id: I65023fe63163c9804a3aec9dcdbf23c69bedb604
1.6 KiB
---id: V-71945 status: opt-in - Red Hat Only tag: auth ---
The STIG requires that accounts with excessive failed login attempts are locked. It sets a limit of three failed attempts in a 15 minute interval and these restrictions are applied to all users (including root). Accounts cannot be automatically unlocked for seven days.
This change might cause disruptions in production environments without proper communication to users. Therefore, this change is not applied by default.
Deployers can opt in for the change by setting the following variable:
security_pam_faillock_enable: yesThere are also three configuration options that can be adjusted by setting Ansible variables:
security_pam_faillock_attempts: This many failed login attempts within the specified time interval with trigger the account to lock. (STIG requirement:3attempts)security_pam_faillock_interval: This is the time interval (in seconds) to use when measuring excessive failed login attempts. (STIG requirement:900seconds)security_pam_faillock_deny_root: Set toyesto apply the restriction to the root user or set tonoto exempt the root user from the account locking restrictions. (STIG requirement:yes)security_pam_faillock_unlock_time: This sets the time delay (in seconds) before a locked account is automatically unlocked. (STIG requirement:604800seconds)
Note
Ubuntu does not provide pam_faillock. This change is
only applied to CentOS 7 or Red Hat Enterprise Linux 7 systems.