From 277e357bfdae380ab41daee9fbef5ec0e5493a9a Mon Sep 17 00:00:00 2001 From: mhoellein Date: Tue, 25 May 2021 22:25:57 +0200 Subject: [PATCH] committing changes in /etc made by "apt-get upgrade" Package changes: -libpam-modules 1.3.1-5ubuntu4.1 amd64 -libpam-modules-bin 1.3.1-5ubuntu4.1 amd64 -libpam-runtime 1.3.1-5ubuntu4.1 all +libpam-modules 1.3.1-5ubuntu4.2 amd64 +libpam-modules-bin 1.3.1-5ubuntu4.2 amd64 +libpam-runtime 1.3.1-5ubuntu4.2 all -libpam0g 1.3.1-5ubuntu4.1 amd64 +libpam0g 1.3.1-5ubuntu4.2 amd64 -libx11-6 2:1.6.9-2ubuntu1.1 amd64 -libx11-data 2:1.6.9-2ubuntu1.1 all -libx11-xcb1 2:1.6.9-2ubuntu1.1 amd64 +libx11-6 2:1.6.9-2ubuntu1.2 amd64 +libx11-data 2:1.6.9-2ubuntu1.2 all +libx11-xcb1 2:1.6.9-2ubuntu1.2 amd64 -python3-distupgrade 1:20.04.32 all +python3-distupgrade 1:20.04.33 all -ubuntu-release-upgrader-core 1:20.04.32 all +ubuntu-release-upgrader-core 1:20.04.33 all --- .etckeeper | 1 + security/faillock.conf | 62 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 security/faillock.conf diff --git a/.etckeeper b/.etckeeper index 4fd30f0fe..0daaa34f6 100755 --- a/.etckeeper +++ b/.etckeeper @@ -7891,6 +7891,7 @@ maybe chmod 0644 'screenrc' maybe chmod 0755 'security' maybe chmod 0644 'security/access.conf' maybe chmod 0644 'security/capability.conf' +maybe chmod 0644 'security/faillock.conf' maybe chmod 0644 'security/group.conf' maybe chmod 0644 'security/limits.conf' maybe chmod 0755 'security/limits.d' diff --git a/security/faillock.conf b/security/faillock.conf new file mode 100644 index 000000000..16d93df7b --- /dev/null +++ b/security/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +# deny = 3 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +# fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +# unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = -- 2.43.0