f422da8599
Add support for the openSUSE Leap distributions. The security rules are similar to the RedHat and Ubuntu ones. We also replace ansible_os_family with ansible_pkg_mgr since the former does not return consistent results across different SUSE distributions especially on older Ansible versions. Change-Id: I20ffe17039bb641aad70d8123f0b7e7417a42cba
1.6 KiB
---id: V-71945 status: opt-in - Red Hat Only tag: auth ---
The STIG requires that accounts with excessive failed login attempts are locked. It sets a limit of three failed attempts in a 15 minute interval and these restrictions are applied to all users (including root). Accounts cannot be automatically unlocked for seven days.
This change might cause disruptions in production environments without proper communication to users. Therefore, this change is not applied by default.
Deployers can opt in for the change by setting the following variable:
security_pam_faillock_enable: yesThere are also three configuration options that can be adjusted by setting Ansible variables:
security_pam_faillock_attempts: This many failed login attempts within the specified time interval with trigger the account to lock. (STIG requirement:3attempts)security_pam_faillock_interval: This is the time interval (in seconds) to use when measuring excessive failed login attempts. (STIG requirement:900seconds)security_pam_faillock_deny_root: Set toyesto apply the restriction to the root user or set tonoto exempt the root user from the account locking restrictions. (STIG requirement:yes)security_pam_faillock_unlock_time: This sets the time delay (in seconds) before a locked account is automatically unlocked. (STIG requirement:604800seconds)
Note
Ubuntu, openSUSE Leap and SUSE Linux Enterprise 12 do not provide
pam_faillock. This change is only applied to CentOS 7 or
Red Hat Enterprise Linux 7 systems.