/
rule.yml
41 lines (26 loc) · 1.33 KB
/
rule.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
documentation_complete: true
title: 'Account Lockouts Must Persist'
description: |-
By setting a `dir` in the faillock configuration account lockouts will persist across reboots.
rationale: |
Having lockouts persist across reboots ensures that account is only unlocked by an administrator.
If the lockouts did not persist across reboots an attack could simply reboot the system to continue brute force attacks against the accounts on the system.
severity: medium
identifiers:
cce@rhel8: CCE-86079-1
cce@rhel9: CCE-86080-9
references:
disa: CCI-000044
nist: 'AC-7 (a)'
ocil_clause: 'the "dir" option is not set to a non-default documented tally log directory, is missing or commented out'
ocil: |-
Verify the "/etc/security/faillock.conf" file is configured use a non-default faillock directory to ensure contents persist after reboot:
$ sudo grep 'dir =' /etc/security/faillock.conf
dir = /var/log/faillock
fixtext: |-
Configure {{{ full_name }}} maintain the contents of the faillock directory after a reboot.
Add/Modify the "/etc/security/faillock.conf" file to match the following line:
dir = /var/log/faillock
srg_requirement: '{{{ full_name }}} must ensure account lockouts persist.'
warnings:
{{{ warning_rule_deprecated_by("accounts_passwords_pam_faillock_dir", "0.1.65") | indent(4) }}}