Public bug reported: Source: CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0.pdf Link: https://workbench.cisecurity.org/files/3228 (download PDF)
cis-audit level2_server fails on rule_CIS-5.3.2 but passes all manual checks. =================== Title Ensure lockout for failed password attempts is configured Rule xccdf_com.ubuntu.focal.cis_rule_CIS-5.3.2 Result fail =================== 5.4.2 Ensure lockout for failed password attempts is configured (xccdf_com.ubuntu.focal.cis_rule_CIS-5.3.2) Please note that with CIS_Ubuntu_Linux_20.04_LTS_Benchmark_v1.1.0 by CIS the numbering is no longer aligned to the xccdf file with xccdf_com.ubuntu.focal.cis_rule_CIS-5.3.2. =================== Procedure: Verify password lockouts are configured. These settings are commonly configured with the pam_tally2.so modules found in /etc/pam.d/common-auth: # grep "pam_tally2" /etc/pam.d/common-auth Expected result: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 Actual result: auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900 =================== NEXT Verify the pam_deny.so module and pam_tally2.so modules are included in /etc/pam.d/common-account: # grep -E "pam_(tally2|deny)\.so" /etc/pam.d/common-account Expected result: account requisite pam_deny.so account required pam_tally2.so 0 Actual result: account requisite pam_deny.so account required pam_tally2.so =================== No errors or events within the logs. =================== OS Version (lsb_release) Description: Ubuntu 20.04.3 LTS Release: 20.04 Codename: focal US Version 27.2.2~20.04.1 ua status SERVICE ENTITLED STATUS DESCRIPTION cis yes enabled Center for Internet Security Audit Tools esm-infra yes enabled UA Infra: Extended Security Maintenance (ESM) fips yes disabled NIST-certified core packages fips-updates yes disabled NIST-certified core packages with priority security updates livepatch yes enabled Canonical Livepatch service =================== Expected result is that it should pass but process fails. ** Affects: ubuntu-advantage-tools (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1942010 Title: Ensure lockout for failed password attempts is configured To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ubuntu-advantage-tools/+bug/1942010/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs