RedHat9 Enterprise linux hardening with pam.d

Hi,

I want to do RHEL9 linux hardening on unlock_time=600 and retry=5 (ID 5.5.1). However it will overwrite the content if I use authselect command and manual modify the file /etc/pam.d/system-auth and /etc/pam.d/password-auth.

Could someone help on this issue ?

Check current profile

Enable faillock with sssd profile

Modify /etc/pam.d/system-auth and password-auth and Test authselect apply-changes command

Will use backup to overwrite current content

https://forum.linuxfoundation.org/discussion/859552/lab-9-2-locking-accounts-after-excessive-login-attempts

Reference: https://static.open-scap.org/ssg-guides/ssg-rhel9-guide-cis_server_l1.html#xccdf_org.ssgproject.content_rule_accounts_passwords_pam_faillock_deny

Refer https://www.golinuxcloud.com/pam-faillock-lock-user-account-linux/
Verify the file with line “pam_faillock.so” with parameter “deny=5”
 /etc/pam.d/system-auth
 /etc/pam.d/password-auth

s

account lockout time: 10 mins