[Bug 1942010] [NEW] Ensure lockout for failed password attempts is configured

Scott E. MacKenzie Sun, 29 Aug 2021 16:55:47 -0700

Public bug reported:

Source: CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0.pdf
Link: https://workbench.cisecurity.org/files/3228 (download PDF)



cis-audit level2_server fails on rule_CIS-5.3.2 but passes all manual checks.

===================
Title   Ensure lockout for failed password attempts is configured
Rule    xccdf_com.ubuntu.focal.cis_rule_CIS-5.3.2
Result  fail

===================
5.4.2 Ensure lockout for failed password attempts is configured
(xccdf_com.ubuntu.focal.cis_rule_CIS-5.3.2)

Please note that with CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0 by CIS
the numbering is no longer aligned to the xccdf file with
xccdf_com.ubuntu.focal.cis_rule_CIS-5.3.2.

===================
Procedure:
Verify password lockouts are configured. These settings are commonly configured 
with the pam_tally2.so modules found in /etc/pam.d/common-auth:

# grep "pam_tally2" /etc/pam.d/common-auth

Expected result: 
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 

Actual result:
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

===================
NEXT
Verify the pam_deny.so module and pam_tally2.so modules are included in 
/etc/pam.d/common-account:

# grep -E "pam_(tally2|deny)\.so" /etc/pam.d/common-account

Expected result: 
account requisite                                       pam_deny.so 
account required                                        pam_tally2.so 0 

Actual result:
account requisite                                       pam_deny.so
account required                                        pam_tally2.so

===================
No errors or events within the logs.

===================
OS Version (lsb_release)

Description:    Ubuntu 20.04.3 LTS
Release:        20.04
Codename:       focal


US Version
27.2.2~20.04.1

ua status
SERVICE       ENTITLED  STATUS    DESCRIPTION
cis           yes       enabled   Center for Internet Security Audit Tools
esm-infra     yes       enabled   UA Infra: Extended Security Maintenance (ESM)
fips          yes       disabled  NIST-certified core packages
fips-updates  yes       disabled  NIST-certified core packages with priority 
security updates
livepatch     yes       enabled   Canonical Livepatch service

===================

Expected result is that it should pass but process fails.

** Affects: ubuntu-advantage-tools (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1942010

Title:
  Ensure lockout for failed password attempts is configured

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions


-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1942010] [NEW] Ensure lockout for failed password attempts is configured

Reply via email to