RH415 - ch05s07

This course is now legacy content

This course is using an outdated version of the technology and is now considered to be Legacy content. It will be removed from our catalog on June 28, 2024. Please be sure to complete your course and finish any remaining labs before that date. We recommend moving to version 9.2, which is the latest version currently available.

Preface A: Introduction

Section A.1: Red Hat Security: Linux in Physical, Virtual, and Cloud

Section A.2: Orientation to the Classroom Environment

Section A.3: Internationalization

Chapter 1: Managing Security and Risk

Section 1.1: Managing Security and Risk

Section 1.2: Quiz: Managing Security and Risk

Section 1.3: Reviewing Recommended Security Practices

Section 1.4: Guided Exercise: Reviewing Recommended Security Practices

Section 1.5: Lab: Managing Security and Risk

Section 1.6: Summary

Chapter 2: Automating Configuration and Remediation with Ansible

Section 2.1: Configuring Ansible for Security Automation

Section 2.2: Guided Exercise: Configuring Ansible for Security Automation

Section 2.3: Remediating Issues with Ansible Playbooks

Section 2.4: Guided Exercise: Remediating Issues with Ansible Playbooks

Section 2.5: Managing Playbooks with Red Hat Ansible Tower

Section 2.6: Guided Exercise: Managing Playbooks with Red Hat Ansible Tower

Section 2.7: Lab: Automating Configuration and Remediation with Ansible

Section 2.8: Summary

Chapter 3: Protecting Data with LUKS and NBDE

Section 3.1: Managing File System Encryption with LUKS

Section 3.2: Guided Exercise: Managing File System Encryption with LUKS

Section 3.3: Controlling File System Decryption with NBDE

Section 3.4: Guided Exercise: Controlling File System Decryption with NBDE

Section 3.5: Lab: Protecting Data with LUKS and NBDE

Section 3.6: Summary

Chapter 4: Restricting USB Device Access

Section 4.1: Controlling USB Access with USBGuard

Section 4.2: Guided Exercise: Controlling USB access with USBGuard

Section 4.3: Lab: Restricting USB Device Access

Section 4.4: Summary

Chapter 5: Controlling Authentication with PAM

Section 5.1: Auditing the PAM Configuration

Section 5.2: Guided Exercise: Auditing the PAM Configuration

Section 5.3: Modifying the PAM Configuration

Section 5.4: Guided Exercise: Modifying the PAM Configuration

Section 5.5: Configuring Password Quality Requirements

Section 5.6: Guided Exercise: Configuring Password Quality Requirements

SectionSection 5.7: Limiting Access After Failed Logins

Section 5.8: Guided Exercise: Limiting Access After Failed Logins

Section 5.9: Lab: Controlling Authentication with PAM

Section 5.10: Summary

Chapter 6: Recording System Events with Audit

Section 6.1: Configuring Audit to Record System Events

Section 6.2: Guided Exercise: Configuring Audit to Record System Events

Section 6.3: Inspecting Audit Logs

Section 6.4: Guided Exercise: Inspecting Audit Logs

Section 6.5: Writing Custom Audit Rules

Section 6.6: Guided Exercise: Writing Custom Audit Rules

Section 6.7: Enabling Prepackaged Audit Rule Sets

Section 6.8: Guided Exercise: Enabling Prepackaged Audit Rule Sets

Section 6.9: Lab: Recording System Events with Audit

Section 6.10: Summary

Chapter 7: Monitoring File System Changes

Section 7.1: Detecting File System Changes with AIDE

Section 7.2: Guided Exercise: Detecting File System Changes with AIDE

Section 7.3: Investigating File System Changes with AIDE

Section 7.4: Guided Exercise: Investigating File System Changes with AIDE

Section 7.5: Lab: Monitoring File System Changes

Section 7.6: Summary

Chapter 8: Mitigating Risk with SELinux

Section 8.1: Enabling SELinux from the Disabled State

Section 8.2: Guided Exercise: Enabling SELinux from the Disabled State

Section 8.3: Controlling Access with Confined Users

Section 8.4: Guided Exercise: Controlling Access with Confined Users

Section 8.5: Auditing the SELinux Policy

Section 8.6: Guided Exercise: Auditing the SELinux Policy

Section 8.7: Lab: Mitigating Risk with SELinux

Section 8.8: Summary

Chapter 9: Managing Compliance with OpenSCAP

Section 9.1: Installing OpenSCAP

Section 9.2: Guided Exercise: Installing OpenSCAP

Section 9.3: Scanning and Analyzing Compliance

Section 9.4: Guided Exercise: Scanning and Analyzing Compliance

Section 9.5: Customizing OpenSCAP Policy

Section 9.6: Guided Exercise: Customizing OpenSCAP Policy

Section 9.7: Remediating OpenSCAP Issues with Ansible

Section 9.8: Guided Exercise: Remediating OpenSCAP Issues with Ansible

Section 9.9: Lab: Managing Compliance with OpenSCAP

Section 9.10: Summary

Chapter 10: Automating Compliance with Red Hat Satellite

Section 10.1: Configuring Red Hat Satellite for OpenSCAP

Section 10.2: Guided Exercise: Configuring Red Hat Satellite for OpenSCAP

Section 10.3: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.4: Guided Exercise: Scan OpenSCAP Compliance with Red Hat Satellite

Section 10.5: Customize the OpenSCAP Policy in Red Hat Satellite

Section 10.6: Guided Exercise: Customize OpenSCAP Policy in Red Hat Satellite

Section 10.7: Lab: Automating Compliance with Red Hat Satellite

Section 10.8: Summary

Chapter 11: Analyzing and Remediating Issues with Red Hat Insights

Section 11.1: Registering Systems with Red Hat Insights

Section 11.2: Quiz: Registering Systems with Red Hat Insights

Section 11.3: Reviewing Red Hat Insights Reports

Section 11.4: Quiz: Reviewing Red Hat Insights Reports

Section 11.5: Automating Issue Remediation

Section 11.6: Quiz: Automating Issue Remediation

Section 11.7: Summary

Chapter 12: Comprehensive Review

Section 12.1: Comprehensive Review

Section 12.2: Lab: Automating Configuration and Remediation with Ansible

Section 12.3: Lab: Protecting Data with LUKS and NBDE

Section 12.4: Lab: Restricting USB Device Access and Mitigating Risk with SELinux

Section 12.5: Lab: Recording Events, Monitoring File System Changes and Managing Compliance with OpenSCAP

Bookmark this page

P 1 2 3 4 5 6 7 8 9 10 11 12

Limiting Access After Failed Logins

Objectives

After completing this section, students should be able to implement account locking after a specified number of failed logins.

Locking Accounts with Multiple Failed Logins

Many security policies have requirements related to locking user accounts after multiple failed login attempts. You can use the PAM pam_faillock module to implement this requirement. The pam_faillock module can lock accounts after a specific number of failed login attempts, and it can automatically unlock these accounts after a predefined period. You can use the faillock command, part of the pam package, to view a report of failed login attempts or to reset a user's failed attempts.

Note

The pam_faillock module was added in Red Hat Enterprise Linux 6.1, alongside the already existing pam_tally2 module. pam_faillock provides some extra functionality. For example, it also controls failed login attempts on local screen savers. The authconfig tool can configure pam_faillock but not pam_tally2.

You should be aware of the risk of denial-of-service attacks when enabling pam_faillock. A malicious user can easily lock an account by voluntarily entering incorrect passwords. The legitimate user will then be denied access to their account for the duration of the lock period.

Configuring password quality requirements

Configuring the pam_faillock Module

pam_faillock does not a have a dedicated configuration file; its configuration is entirely done through its arguments. To enable and configure pam_faillock, you can manually edit the PAM configuration files, but the authconfig tool offers a much easier way.

[root@demo ~]# authconfig --enablefaillock \
> --faillockargs="deny=3 fail_interval=60 unlock_time=600" --update
[root@demo ~]#

The --enablefaillock option activates the pam_faillock module in your PAM configuration. The --faillockargs option configures the module. The pam_faillock(8) manual page describes all the available arguments, but the most common are listed below.

deny=N: This is the number of consecutive failed login attempts after which pam_faillock locks the account.
fail_interval=S: This is the time interval, specified in seconds, during which the failed login attempts must occur for pam_faillock to lock the account. In the previous example, with deny=3 and fail_interval=60, pam_faillock locks the account if the user enters three consecutive incorrect passwords in less than a minute.
unlock_time=S: This is the number of seconds after which PAM unlocks the account. In the previous example, with unlock_time=600, a user with a locked account must wait 10 minutes before being able to log in again.
even_deny_root: By default, without this argument, pam_faillock does not lock the root account. With the even_deny_root argument, pam_faillock applies the same rules to root as it does to regular users. Enabling this setting could have severe consequences. A malicious user can lock the root account, preventing legitimate administrators from accessing the system. To mitigate this issue, you can use the root_unlock_time=S argument to specify a shorter lock time for the root account. Red Hat recommends to deny direct remote root access to your system. For SSH, you can set PermitRootLogin to no in /etc/ssh/sshd_config.

PAM calls the pam_faillock module in the auth and account management groups.

[root@demo ~]# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth ...       
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_faillock.so authfail ...      
auth        required      pam_deny.so

account     required      pam_faillock.so                   
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so
...output omitted...

	First, PAM calls the module in the `auth` management group, before any other module that asks the user for their password, such as `pam_unix`. With the `preauth` argument, `pam_faillock` controls if the user account is locked.
	PAM calls the module a second time in the `auth` management group, but this time, only if the user has entered an incorrect password. Notice that the `pam_unix` module is sufficient. This means that if the password is correct, PAM exits the file at that point and the following `pam_faillock` module is not called. With the `authfail` argument, `pam_faillock` records the failed login attempt.
	PAM calls the module in the `account` management group. Because at this point the user is authenticated, `pam_faillock` invalidates the failed login attempt records for the account.

Managing Locked Accounts

You can list failed login attempts with the faillock command.

[root@demo ~]# faillock
user1:
When                Type  Source               Valid
2018-07-14 11:46:35 RHOST 10.1.2.12                V
2018-07-14 11:46:31 RHOST 10.1.2.12                V
2018-07-14 11:46:44 RHOST 10.1.2.12                V
user2:
When                Type  Source               Valid
2018-07-14 11:48:01 TTY   tty2                     V
2018-07-14 11:48:31 TTY   tty2                     V
2018-07-14 11:48:37 TTY   tty2                     V
root:
When                Type  Source               Valid

The --user option restricts the output to a specific account.

[root@demo ~]# faillock --user user1
user1:
When                Type  Source               Valid
2018-07-14 11:46:31 RHOST 10.1.2.12                V
2018-07-14 11:46:44 RHOST 10.1.2.12                V
2018-07-14 11:46:35 RHOST 10.1.2.12                V

The Type column indicates the source of the connection: RHOST for remote connections, such as ssh, or TTY for console connections. The Source column gives the origin of the connection: host name, IP address, or TTY. The Valid column indicates if the record is still valid (V) or not (I).

The --reset option removes the failure records for a user. As a side effect, this also unlocks the account if it was locked.

[root@demo ~]# faillock --user user1 --reset
[root@demo ~]# faillock --user user1
user1:
When                Type  Source               Valid
[root@demo ~]#

References

The pam_faillock(8) and faillock(8) man pages.

For more information, refer to the Account Locking section in the Red Hat Enterprise Linux 7 Security Guide at https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/security_guide/#sect-Security_Guide-Workstation_Security-Account_Locking

Discuss Red Hat Security: Linux in Physical, Virtual, and Cloud

Go to community

Welcome to the Red Hat Security: Linux in Physical, Virtual, and Cloud (RH415) group!

Deanna

26 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat Security: Linux in Physical, Virtual, and Cloud! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to RH415.Read more about Red Hat Security: Linux in Physical, Virtual, and Cloud here.

415

Revision: rh415-7.5-813735c