NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268081 | ANIX-00-000040 | SV-268081r1039549_rule | Medium |
| Description |
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214 |
| STIG | Date |
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 |
Details
| Check Text (C-72005r1039547_chk) |
| Verify that NixOS locks an account after three unsuccessful login attempts within 15 minutes with the following commands: $ cat /etc/pam.d/login auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock" module, or is missing from this line, this is a finding. |
| Fix Text (F-71908r1039548_fix) |
| Configure NixOS to lock an account when three unsuccessful login attempts occur within 15 minutes. Modify /etc/nixos/configuration.nix to include the following lines: security.pam.services = let pamfile = '' auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_unix.so nullok try_first_pass auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0 auth sufficient pam_faillock.so authsucc account required pam_faillock.so ''; in { login.text = pkgs.lib.mkDefault pamfile; sshd.text = pkgs.lib.mkDefault pamfile; }; Note that the entire pam file must be entered as this pamfile string. Rebuild the NixOS configuration with the following command: $ sudo nixos-rebuild switch |