Security scanner shows finding despite pam_faillock is enabled
Issue
-
Security scanners, such as Nessus or OpenSCAP, flag
pam_faillockas non-compliance:- V-244533
- V-244534
-
pam_faillockmodule has been added to/etc/pam.d/password-authandsystem-authin line 2 and line 4, in accordance with Product Documentation: 4.1.2. Account Locking1 auth required pam_env.so 2 auth required pam_faillock.so preauth silent audit deny=3 unlock_time=600 3 auth sufficient pam_unix.so nullok try_first_pass 4 auth [default=die] pam_faillock.so authfail audit deny=3 unlock_time=600 5 auth requisite pam_succeed_if.so uid >= 1000 quiet_success 6 auth required pam_deny.so
Environment
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
- Pluggable Authentication Modules (PAM)
- faillock / pam_faillock
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.
