CME-803

Account Lockout Policy (pam_faillock)

Harden Identity High Confidence

Description

Locks user accounts after a configurable number of failed authentication attempts, preventing online brute force attacks.

CVSS Vector Impacts

Metric Transition Rationale
Attack Complexity (AC) L H Brute force limited to N attempts before lockout

CWE Relationships

CWE-307

Verification

Check pam_faillock configuration

$ grep faillock /etc/pam.d/system-auth
# Expected: pam_faillock.so
Platform: rhel
$ grep deny /etc/security/faillock.conf
# Expected: deny = 5
Platform: rhel
← CME-802: Password Quality Enforcement (pwquality) CME-804: SSH Key-Only Authentication →