id: linux-account-lockout-threshold

info:
  name: Linux Account Lockout Threshold Check
  author: songyaeji
  severity: high
  description: |
    The system did not enforce an account lockout threshold, leaving it exposed to brute-force attacks through unrestricted login attempts.
  reference:
    - https://isms.kisa.or.kr/main/csap/notice/
  metadata:
    verified: true
  tags: local,linux,kisa,audit,compliance

self-contained: true

code:
  - engine:
      - bash
    source: |
      grep -E 'pam_tally2.so|pam_faillock.so' \
        /etc/pam.d/system-auth /etc/pam.d/password-auth /etc/pam.d/common-auth \
        2>/dev/null || echo "no-lockout-config"

    matchers:
      - type: word
        name: no-config
        part: response
        words:
          - "no-lockout-config"
# digest: 4b0a00483046022100ddbb8ad3614b22b608c14fd9c974fd7024e21bda73426b584045cf5f7270303d022100cd10a4cc0e4cf5302c7760c004a52a3ef979541703ca6130a740ec39dcb99c43:922c64590222798bb761d5b6d8e72950