Bug 1148042

Summary: [RFE] pam_faillock: Allow argument of 'unlock_time' option to have a meaning of lock the account forever / till manual intervention from system administrator
Product: Red Hat Enterprise Linux 7 Reporter: Jan Lieskovsky <jlieskov>
Component: pamAssignee: Tomas Mraz <tmraz>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.2CC: pkis, redigd, swells
Target Milestone: rcKeywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: All   
URL: https://github.com/OpenSCAP/scap-security-guide/issues/135#issuecomment-57103951
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-14 09:52:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Jan Lieskovsky 2014-09-30 14:53:15 UTC
Description of problem:

This issue has been raised within:
  https://github.com/OpenSCAP/scap-security-guide/issues/135#issuecomment-57103951

when trying to implement RHEL7 STIG: CCI-002238 rule. pam_faillock PAM module has option 'unlock_time' to specify how long time (in seconds) the account in question should be locked, till it's unlocked again. The maximum / upper border of allowed time specification is one week --

rpmbuild/BUILD/Linux-PAM-1.1.8/modules/pam_faillock/pam_faillock.c:

  70 #define MAX_TIME_INTERVAL 604800 /* 7 days */

Since RHEL7 STIG: CCI-002238 requires the account to be locked till manually unlocked by system administrator, it's not possible (right now) to implement this rule via pam_faillock module.

Therefore it would be nice if some special value (e.g. zero / 0) would be also accepted to instruct pam_faillock that the account in question shouldn't be unlocked till not performed manually by administrator.

Version-Release number of selected component (if applicable):
pam-1.1.8-9.el7

How reproducible:
Always

Steps to Reproduce:
1. Use pam_faillock and try to configure it to require account not to be unlocked till explicitly manually done by system administrator

Actual results:
Maximum allowed value is '604800', e.g. one week.

Expected results:
Maximum allowed value should be "forever" (till not unlocked by sysadmin).

Additional info:
Maybe the value of zero(0) could be used for this case for the case of user account of unprivileged user. This option / value should be forbidden for privileged / root account case.

Comment 3 redigd 2015-12-11 19:42:22 UTC
I need to second this request.  It is a total show stopper for my company.  We have tried to drop back to pam_tally2 but are having issues with systemd/polkit/X/gdm integration issues.

Comment 4 Tomas Mraz 2015-12-14 09:52:14 UTC

*** This bug has been marked as a duplicate of bug 1273373 ***