NixOS must enforce the limit of three consecutive invalid login attempts by a user during a 15-minute time period.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-268081 | ANIX-00-000040 | SV-268081r1039549_rule | CCI-000044 | medium |
| Description | ||||
| By limiting the number of failed login attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-force attacks, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128, SRG-OS-000470-GPOS-00214 | ||||
| STIG | Date | |||
| Anduril NixOS Security Technical Implementation Guide | 2024-10-25 | |||
Details
Check Text (C-268081r1039549_chk)
Verify that NixOS locks an account after three unsuccessful login attempts within 15 minutes with the following commands:
$ cat /etc/pam.d/login
auth required pam_faillock.so preauth deny=3 even_deny_root fail_interval=900 unlock_time=0 dir=/var/log/faillock
If the "fail_interval" option is not set to "900" or less (but not "0") on the "preauth" lines with the "pam_faillock" module, or is missing from this line, this is a finding.
Fix Text (F-71908r1039548_fix)
Configure NixOS to lock an account when three unsuccessful login attempts occur within 15 minutes.
Modify /etc/nixos/configuration.nix to include the following lines:
security.pam.services = let pamfile = ''
auth required pam_faillock.so preauth silent audit deny=3 fail_interval=900 unlock_time=0
auth sufficient pam_unix.so nullok try_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 fail_interval=900 unlock_time=0
auth sufficient pam_faillock.so authsucc
account required pam_faillock.so
'';
in {
login.text = pkgs.lib.mkDefault pamfile;
sshd.text = pkgs.lib.mkDefault pamfile;
};
Note that the entire pam file must be entered as this pamfile string.
Rebuild the NixOS configuration with the following command:
$ sudo nixos-rebuild switch