PAM hardening with faillock: lockouts, password and sudo policy

PAM hardening with faillock: lockouts, password policy, sudo hygiene

Last updated: 20 Aug 2025

Goal: sensible lockouts (with audit), sane password policy for local accounts, and predictable sudo behaviour. Adjust paths for your distro.

1) faillock defaults

# /etc/security/faillock.conf
deny = 5
unlock_time = 600
even_deny_root
audit

2) Enable faillock in PAM stacks

Ubuntu/Debian (PAM includes):

# /etc/pam.d/common-auth (before pam_unix)
auth   required  pam_faillock.so preauth
auth   [success=1 default=bad] pam_unix.so nullok
auth   [default=die] pam_faillock.so authfail
account required  pam_faillock.so

RHEL/Rocky/Alma: the system-auth/password-auth profiles already reference faillock—verify with authselect and enable the faillock feature.

3) Password quality (local accounts)

# /etc/security/pwquality.conf
minlen = 12
dcredit = -1
ucredit = -1
lcredit = -1
ocredit = -1
enforce_for_root

4) Sudo hygiene

# /etc/sudoers.d/baseline (visudo -f ...)
Defaults use_pty
Defaults logfile="/var/log/sudo.log"
Defaults timestamp_timeout=5
# Restrict to the admin group name your distro uses:
# %sudo ALL=(ALL) ALL
# %wheel ALL=(ALL) ALL

5) Operations

# View lockouts
faillock --user kevin
# Clear after investigation
faillock --user kevin --reset