Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-130875

Faillock locked accounts should not be unlocked by automated services (e.g. crond and systemd-user)

Linking RHIVOS CVEs to...Migration: Automation ...Sync from "Extern...XMLWordPrintable

    • Icon: Story Story
    • Resolution: Unresolved
    • Icon: Major Major
    • rhel-9.8
    • None
    • pam
    • pam-1.5.1-28.el9
    • None
    • 1
    • rhel-idm-zta
    • ssg_idm
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • No
    • ZTA: RHELs for 10.2 and 9.8
    • Enhancement
    • Hide
      .Automated services no longer reset account lockout counters

      This update ensures that automated services like `crond` and `systemd-user` are prevented from unlocking accounts locked by `faillock`. Previously, these services would automatically clear the "failed login" counter when they ran, which could allow a malicious actor to keep guessing passwords without being permanently locked out. With this release, once an account is locked by a security policy, it remains locked until the timeout expires or an administrator intervenes, regardless of any background system activity.
      Show
      .Automated services no longer reset account lockout counters This update ensures that automated services like `crond` and `systemd-user` are prevented from unlocking accounts locked by `faillock`. Previously, these services would automatically clear the "failed login" counter when they ran, which could allow a malicious actor to keep guessing passwords without being permanently locked out. With this release, once an account is locked by a security policy, it remains locked until the timeout expires or an administrator intervenes, regardless of any background system activity.
    • Done
    • Done
    • Done
    • None

      Goal

      • Faillock locked accounts should not be unlocked by automated services (e.g. crond and systemd-user)
        • As a user, I don't want failed login on my account to be reset by automated services, so that I can prevent brute force password guessing attack.

      Acceptance Criteria

      • When the account is locked by faillock:
        • Verify that crond won't unlock faillock
        • Verify that systemd-user won't unlock faillock.

      Additional information

      Following PAM rule unlock faillock unconditionally

      account     required                                     pam_faillock.so

      While in usual PAM workflow, faillock locked account will be stop at auth stage.
      However, the automated services such as crond and systemd-user skips the auth stage and go straight to the account stage, thus execute above rule and unlock the account.

      The proposed change is to insert the following line before above rule like:

      account     [success=1 default=ignore]                  pam_succeed_if.so service in crond:systemd-user
account     required                                     pam_faillock.so

      This prevent crond and systemd-user to run pam_faillock to unlock account

              ipedrosa@redhat.com Iker Pedrosa
              rhn-support-dchen Ding Yi Chen
              Iker Pedrosa Iker Pedrosa
              Anuj Borah Anuj Borah
              Dominika Borges Dominika Borges
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated: