accounts_passwords_pam_fail_interval and accounts_passwords_pam_faillock_unlock_time have bad description
The description needs to be changed in these from currently telling the user to put them under pam_env.so to under pam_unix.so. Also there are a number of things you have to do. And I'll walk though this example so you can see. normal pam system-auth file, same allied for password file auth required pam_env.so auth [success=1 default=bad] pam_unix.so auth [default=die] pam_faillock.so authfail deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth sufficient pam_faillock.so authsucc deny=3 even_deny_root unlock_time=604800 fail_interval=900 auth requisite pam_succeed_if.so uid >= 500 quiet auth required pam_deny.so fist things first. you must skip the authfail on a successful login, and set default equal to bad. the faillock authfail will ALWAYS lock the user out if run. Which is why if you follow the guidance, you'll brick your machine. so pam_unix.so must be set to [success=1 default=bad]. second pam_faillock.so authsucc must be set to sufficient, and always placed before pam_deny. your description currently says required, but you've got to alter unix.so to fall through on success instead of simply being sufficient, so now pam_faillock.so authsucc has to be sufficient to pick up the slack. The test for this is also going to have to be rewritten as well. -jj- -- SCAP Security Guide mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/scap-security-guide https://github.com/OpenSCAP/scap-security-guide/
