diff --git a/controls/anssi.yml b/controls/anssi.yml
index ddcbc880fa0..83b48120013 100644
--- a/controls/anssi.yml
+++ b/controls/anssi.yml
@@ -755,6 +755,8 @@ controls:
- var_accounts_passwords_pam_faillock_deny=3
- accounts_passwords_pam_faillock_deny
- accounts_passwords_pam_faillock_deny_root
+ # same as above but for pam_tally2 module
+ - accounts_passwords_pam_tally2_deny_root
# Automatically unlock users after 15 min to prevent DoS
- var_accounts_passwords_pam_faillock_unlock_time=900
- accounts_passwords_pam_faillock_unlock_time
diff --git a/controls/cis_sle12.yml b/controls/cis_sle12.yml
index 468b25f8b98..d7e07507990 100644
--- a/controls/cis_sle12.yml
+++ b/controls/cis_sle12.yml
@@ -1770,6 +1770,7 @@ controls:
rules:
- accounts_passwords_pam_tally2
- var_password_pam_tally2=5
+ - accounts_passwords_pam_tally2_deny_root
- id: 5.3.3
title: Ensure password reuse is limited (Automated)
diff --git a/controls/cis_sle15.yml b/controls/cis_sle15.yml
index 1625a0cbf6a..7dc066a6451 100644
--- a/controls/cis_sle15.yml
+++ b/controls/cis_sle15.yml
@@ -1954,6 +1954,7 @@ controls:
rules:
- accounts_passwords_pam_tally2
- var_password_pam_tally2=5
+ - accounts_passwords_pam_tally2_deny_root
- id: 5.3.3
title: Ensure password reuse is limited (Automated)
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
index ee0243ec978..e6f4d08b43f 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/ansible/shared.yml
@@ -1,9 +1,9 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
-{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-
+{{{ ansible_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
+{{{ ansible_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
{{{ ansible_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
index 30f18f34d10..9bde69cb3a0 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/bash/shared.sh
@@ -1,9 +1,9 @@
-# platform = multi_platform_sle,multi_platform_ubuntu
+# platform = multi_platform_sle
# reboot = false
# strategy = restrict
# complexity = low
# disruption = low
-{{{ bash_ensure_pam_module_option('/etc/pam.d/common-auth', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
-
+{{{ bash_remove_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'onerr=fail') }}}
+{{{ bash_ensure_pam_module_option('/etc/pam.d/login', 'auth', 'required', 'pam_tally2.so', 'even_deny_root', '', '') }}}
{{{ bash_ensure_pam_module_option('/etc/pam.d/common-account', 'account', 'required', 'pam_tally2.so', '', '', '') }}}
diff --git a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
index ed355f9bc96..86ec2be785b 100644
--- a/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
+++ b/linux_os/guide/system/accounts/accounts-pam/locking_out_password_attempts/accounts_passwords_pam_tally2_deny_root/oval/shared.xml
@@ -17,9 +17,9 @@
- /etc/pam.d/common-auth
- ^\s*auth\s+required\s+pam_tally2\.so\s+[^\n]*deny=[[4-9]|[1-9][0-9]]+([\s+\S+]*)even_deny_root([\s+\S+])*\s*(\\)*$
- 1
+ /etc/pam.d/login
+ ^\s*auth(?:(?!\n)\s)+required(?:(?!\n)\s)+pam_tally2.so(?:(?!\n)\s)+(?:(?:(?:(?!\n)\s)?[^\n]+)?onerr=fail(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+deny=(\d+)(?:(?:\s+\S+)*\s*$))|(?:(?:(?:(?!\n)\s)?[^\n]+)?deny=(\d+)(?:(?:(?!\n)\s)+[^\n]+)?(?:(?!\n)\s)+even_deny_root(?:(?:\s+\S+)*\s*$))
+ 1
root account is locked after a defined number of failed password
attempts, run the following command:
- $ grep even_deny_root /etc/pam.d/common-auth
+ $ grep even_deny_root /etc/pam.d/login
The output should show even_deny_root.
fixtext: |-
To configure the system to lock out the root account after a number of incorrect login
- attempts using pam_tally2.so, modify the content of both /etc/pam.d/common-auth and
+ attempts using pam_tally2.so, modify the content of both /etc/pam.d/login and
/etc/pam.d/common-account as follows: