The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-238235 | UBTU-20-010072 | SV-238235r1069092_rule | CCI-000044 | low |
| Description | ||||
| By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000329-GPOS-00128, SRG-OS-000021-GPOS-00005 | ||||
| STIG | Date | |||
| Canonical Ubuntu 20.04 LTS Security Technical Implementation Guide | 2025-05-16 | |||
Related Frameworks
3 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AC-7
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.8
1.00
- DISA · 2 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000044
1.00
- DISA · 2 · disa_xccdf · related
Details
Check Text (C-238235r1069092_chk)
Verify the Ubuntu operating system utilizes the "pam_faillock" module with the following command:
$ grep faillock /etc/pam.d/common-auth
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
If the pam_faillock.so module is not present in the "/etc/pam.d/common-auth" file, this is a finding.
Verify the pam_faillock module is configured to use the following options:
$ sudo egrep 'silent|audit|deny|fail_interval|unlock_time' /etc/security/faillock.conf
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0
If the "silent" keyword is missing or commented out, this is a finding.
If the "audit" keyword is missing or commented out, this is a finding.
If the "deny" keyword is missing, commented out, or set to a value greater than "3", this is a finding.
If the "fail_interval" keyword is missing, commented out, or set to a value greater than "900", this is a finding.
If the "unlock_time" keyword is missing, commented out, or not set to "0", this is a finding.
Fix Text (F-41404r802382_fix)
Configure the Ubuntu operating system to utilize the "pam_faillock" module.
Edit the /etc/pam.d/common-auth file.
Add the following lines below the "auth" definition for pam_unix.so:
auth [default=die] pam_faillock.so authfail
auth sufficient pam_faillock.so authsucc
Configure the "pam_faillock" module to use the following options:
Edit the /etc/security/faillock.conf file and add/update the following keywords and values:
audit
silent
deny = 3
fail_interval = 900
unlock_time = 0