Ubuntu 24.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-270690 | UBTU-24-200610 | SV-270690r1067126_rule | Low |
| Description |
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128 |
| STIG | Date |
| Canonical Ubuntu 24.04 LTS Security Technical Implementation Guide | 2025-05-16 |
Details
| Check Text (C-74723r1067125_chk) |
| Verify that Ubuntu 24.04 LTS utilizes the "pam_faillock" module with the following command: $ grep faillock /etc/pam.d/common-auth auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc If the pam_faillock.so module is not present in the "/etc/pam.d/common-auth" file, this is a finding. Verify the pam_faillock module is configured to use the following options: $ sudo egrep 'silent|audit|deny|fail_interval| unlock_time' /etc/security/faillock.conf audit silent deny = 3 fail_interval = 900 unlock_time = 0 If the "silent" keyword is missing or commented out, this is a finding. If the "audit" keyword is missing or commented out, this is a finding. If the "deny" keyword is missing, commented out, or set to a value greater than "3", this is a finding. If the "fail_interval" keyword is missing, commented out, or set to a value greater than "900", this is a finding. If the "unlock_time" keyword is missing, commented out, or not set to "0", this is a finding. |
| Fix Text (F-74624r1066558_fix) |
| Configure Ubuntu 24.04 LTS to utilize the "pam_faillock" module. Edit the /etc/pam.d/common-auth file to add the following lines below the "auth" definition for pam_unix.so: auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options: Edit the /etc/security/faillock.conf file and add/update the following keywords and values: audit silent deny = 3 fail_interval = 900 unlock_time = 0 |