Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

DLPX-86530 CIS: delphix user lockout after failed login attempts #474

Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

DLPX-86530 CIS: delphix user lockout after failed login attempts #474

wants to merge 1 commit into from

Conversation

rupalimatkar
Copy link
Contributor

@rupalimatkar rupalimatkar commented Feb 29, 2024
edited
Loading

Background

CIS: delphix user lockout after failed login attempts

JIRA: https://delphix.atlassian.net/browse/DLPX-86530

Status of the 'deny' setting for pam_tally2.so module in /etc/pam.d/common-auth file
Located in the /etc/pam.d directory, the 'pam_tally2.so' module allows administrators to manage user login security policy and monitor user login activity. The 'deny' parameter in the 'pam_tally2.so' module sets the number of failed login attempts allowed prior to account lockout. As a malicious user can use brute force attacks to compromise user accounts, account lockout policies mitigate this risk by restricting failed login attempts. The 'deny' parameter in the 'pam_tally2.so' module should be set in accordance with needs of the organization.

Remediation: Edit the /etc/pam.d/common-auth file and add the auth line below:
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

Solution

Updating the pam modules common-auth and common-account to enforce delphix user lockout policies using pam_tally2.so

Testing Done

http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8569/console
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8523/console - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8456/ - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8394/ - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8391/ - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8389/console - Successful

With 4 unsuccessful login attempts and 5th successful login attempt with delphix user -

image

With 5 unsuccessful login attempts and entering correct password at 6th attempt with delphix user -

delphix user lockout already happened and after unlock time completion connection to engine will be successful with correct password.

image

Re-login to engine with delphix user after unlock period is over -

image

@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/546555a5-ec5d-42e7-be23-deee276abd4a branch 2 times, most recently from 98f62b9 to e9611d9 Compare March 5, 2024 11:57
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/546555a5-ec5d-42e7-be23-deee276abd4a branch 2 times, most recently from 140a0a1 to eca353a Compare March 20, 2024 11:50
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/546555a5-ec5d-42e7-be23-deee276abd4a branch from eca353a to 952932e Compare March 27, 2024 04:46
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/546555a5-ec5d-42e7-be23-deee276abd4a branch 2 times, most recently from e2aff29 to 461ca7e Compare April 28, 2024 05:55
@rupalimatkar rupalimatkar self-assigned this Apr 28, 2024
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/546555a5-ec5d-42e7-be23-deee276abd4a branch from 461ca7e to 18d9564 Compare April 29, 2024 05:18
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/546555a5-ec5d-42e7-be23-deee276abd4a branch from 18d9564 to 6d5521d Compare April 29, 2024 12:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@rupalimatkar rupalimatkar

Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rupalimatkar