Skip to content

DLPX-86530 CIS: delphix user lockout after failed login attempts #522

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

DLPX-86530 CIS: delphix user lockout after failed login attempts #522

wants to merge 1 commit into from
+38 −3

Conversation

rupalimatkar
Copy link
Contributor

@rupalimatkar rupalimatkar commented Apr 12, 2025
edited
Loading

Background

CIS: delphix user lockout after failed login attempts

JIRA: https://delphix.atlassian.net/browse/DLPX-86530

Status of the 'deny' setting for pam_tally2.so module in /etc/pam.d/common-auth file
Located in the /etc/pam.d directory, the 'pam_tally2.so' module allows administrators to manage user login security policy and monitor user login activity. The 'deny' parameter in the 'pam_tally2.so' module sets the number of failed login attempts allowed prior to account lockout. As a malicious user can use brute force attacks to compromise user accounts, account lockout policies mitigate this risk by restricting failed login attempts. The 'deny' parameter in the 'pam_tally2.so' module should be set in accordance with needs of the organization.

Remediation: Edit the /etc/pam.d/common-auth file and add the auth line below:
auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900

Solution

Updating the pam modules common-auth and common-account to enforce delphix user lockout policies using pam_tally2.so

Testing Done

http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8569/console
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8523/console - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8456/ - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8394/ - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8391/ - In-progress
http://selfservice.jenkins.delphix.com/job/appliance-build-orchestrator-pre-push/8389/console - Successful

With 4 unsuccessful login attempts and 5th successful login attempt with delphix user -

image

With 5 unsuccessful login attempts and entering correct password at 6th attempt with delphix user -

delphix user lockout already happened and after unlock time completion connection to engine will be successful with correct password.

image

Re-login to engine with delphix user after unlock period is over -

image

@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/da904b63-7d6c-4609-be3d-33af24627f9e branch from d922185 to 3a03709 Compare April 12, 2025 15:02
@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/da904b63-7d6c-4609-be3d-33af24627f9e branch from 3a03709 to c89db39 Compare April 12, 2025 15:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@rupalimatkar