Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-260549 | UBTU-22-411045 | SV-260549r958388_rule | Low |
| Description |
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 |
| STIG | Date |
| Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide | 2025-05-16 |
Details
| Check Text (C-64278r953458_chk) |
| Verify that Ubuntu 22.04 LTS utilizes the "pam_faillock" module by using the following command: $ grep faillock /etc/pam.d/common-auth auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc If the "pam_faillock.so" module is not present in the "/etc/pam.d/common-auth" file, this is a finding. Verify the "pam_faillock" module is configured to use the following options: $ sudo grep -Ew 'silent|audit|deny|fail_interval|unlock_time' /etc/security/faillock.conf audit silent deny = 3 fail_interval = 900 unlock_time = 0 If "audit" is commented out, or is missing, this is a finding. If "silent" is commented out, or is missing, this is a finding. If "deny" is set to a value greater than "3", is commented out, or is missing, this is a finding. If "fail_interval" is set to a value greater than "900", is commented out, or is missing, this is a finding. If "unlock_time" is not set to "0", is commented out, or is missing, this is a finding. |
| Fix Text (F-64186r953459_fix) |
| Configure Ubuntu 22.04 LTS to utilize the "pam_faillock" module. Add or modify the following lines in the "/etc/pam.d/common-auth" file, below the "auth" definition for "pam_unix.so": auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options. Add or modify the following lines in the "/etc/security/faillock.conf" file: audit silent deny = 3 fail_interval = 900 unlock_time = 0 |