STIGViewer Trial workspace — loading your subscription…

Ubuntu 22.04 LTS must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts have been made.

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-260549UBTU-22-411045SV-260549r958388_ruleCCI-000044low
Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account. Satisfies: SRG-OS-000021-GPOS-00005, SRG-OS-000329-GPOS-00128
STIGDate
Canonical Ubuntu 22.04 LTS Security Technical Implementation Guide2026-02-06

Related Frameworks

3 paths across 3 frameworks
NIST 800-531 mapping
AC-7
1.00
  • DISA · V2R8 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1711 mapping
3.1.8
1.00
  • DISA · V2R8 · disa_xccdf · related
  • DISA · 2025-01-23 · disa_cci_list · equivalent
  • NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000044
1.00
  • DISA · V2R8 · disa_xccdf · related

Details

Check Text (C-260549r958388_chk)

Verify that Ubuntu 22.04 LTS utilizes the "pam_faillock" module by using the following command: $ grep faillock /etc/pam.d/common-auth auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc If the "pam_faillock.so" module is not present in the "/etc/pam.d/common-auth" file, this is a finding. Verify the "pam_faillock" module is configured to use the following options: $ sudo grep -Ew 'silent|audit|deny|fail_interval|unlock_time' /etc/security/faillock.conf audit silent deny = 3 fail_interval = 900 unlock_time = 0 If "audit" is commented out, or is missing, this is a finding. If "silent" is commented out, or is missing, this is a finding. If "deny" is set to a value greater than "3", is commented out, or is missing, this is a finding. If "fail_interval" is set to a value greater than "900", is commented out, or is missing, this is a finding. If "unlock_time" is not set to "0", is commented out, or is missing, this is a finding.

Fix Text (F-64186r953459_fix)

Configure Ubuntu 22.04 LTS to utilize the "pam_faillock" module. Add or modify the following lines in the "/etc/pam.d/common-auth" file, below the "auth" definition for "pam_unix.so": auth [default=die] pam_faillock.so authfail auth sufficient pam_faillock.so authsucc Configure the "pam_faillock" module to use the following options. Add or modify the following lines in the "/etc/security/faillock.conf" file: audit silent deny = 3 fail_interval = 900 unlock_time = 0