committing changes in /etc made by "/usr/bin/apt full-upgrade -y"

Package changes:
-fonts-noto-color-emoji 0~20200408-1 all
+fonts-noto-color-emoji 0~20200916-1~ubuntu20.04.1 all
-gnome-disk-utility 3.36.1-1ubuntu1 amd64
+gnome-disk-utility 3.36.3-0ubuntu1 amd64
-libpam-modules 1.3.1-5ubuntu4.1 amd64
-libpam-modules-bin 1.3.1-5ubuntu4.1 amd64
-libpam-runtime 1.3.1-5ubuntu4.1 all
+libpam-modules 1.3.1-5ubuntu4.2 amd64
+libpam-modules-bin 1.3.1-5ubuntu4.2 amd64
+libpam-runtime 1.3.1-5ubuntu4.2 all
-libpam0g 1.3.1-5ubuntu4.1 amd64
+libpam0g 1.3.1-5ubuntu4.2 amd64
-python3-distupgrade 1:20.04.32 all
+python3-distupgrade 1:20.04.33 all
-ubuntu-release-upgrader-core 1:20.04.32 all
+ubuntu-release-upgrader-core 1:20.04.33 all

diff --git a/.etckeeper b/.etckeeper
index 9994479c03aa833ed28e0b8594f07b41f6aae0a9..c57a1ed1df7384d53e26527d10d15b254a6712ab 100755 (executable)
--- a/.etckeeper
+++ b/.etckeeper
@@ -2792,6 +2792,7 @@ maybe chmod 0644 'screenrc'
 maybe chmod 0755 'security'
 maybe chmod 0644 'security/access.conf'
 maybe chmod 0644 'security/capability.conf'
+maybe chmod 0644 'security/faillock.conf'
 maybe chmod 0644 'security/group.conf'
 maybe chmod 0644 'security/limits.conf'
 maybe chmod 0755 'security/limits.d'

diff --git a/security/faillock.conf b/security/faillock.conf
new file mode 100644 (file)
index 0000000..16d93df
--- /dev/null
+++ b/security/faillock.conf
@@ -0,0 +1,62 @@
+# Configuration for locking the user after multiple failed
+# authentication attempts.
+#
+# The directory where the user files with the failure records are kept.
+# The default is /var/run/faillock.
+# dir = /var/run/faillock
+#
+# Will log the user name into the system log if the user is not found.
+# Enabled if option is present.
+# audit
+#
+# Don't print informative messages.
+# Enabled if option is present.
+# silent
+#
+# Don't log informative messages via syslog.
+# Enabled if option is present.
+# no_log_info
+#
+# Only track failed user authentications attempts for local users
+# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
+# The `faillock` command will also no longer track user failed
+# authentication attempts. Enabling this option will prevent a
+# double-lockout scenario where a user is locked out locally and
+# in the centralized mechanism.
+# Enabled if option is present.
+# local_users_only
+#
+# Deny access if the number of consecutive authentication failures
+# for this user during the recent interval exceeds n tries.
+# The default is 3.
+# deny = 3
+#
+# The length of the interval during which the consecutive
+# authentication failures must happen for the user account
+# lock out is <replaceable>n</replaceable> seconds.
+# The default is 900 (15 minutes).
+# fail_interval = 900
+#
+# The access will be re-enabled after n seconds after the lock out.
+# The value 0 has the same meaning as value `never` - the access
+# will not be re-enabled without resetting the faillock
+# entries by the `faillock` command.
+# The default is 600 (10 minutes).
+# unlock_time = 600
+#
+# Root account can become locked as well as regular accounts.
+# Enabled if option is present.
+# even_deny_root
+#
+# This option implies the `even_deny_root` option.
+# Allow access after n seconds to root account after the
+# account is locked. In case the option is not specified
+# the value is the same as of the `unlock_time` option.
+# root_unlock_time = 900
+#
+# If a group name is specified with this option, members
+# of the group will be handled by this module the same as
+# the root account (the options `even_deny_root>` and
+# `root_unlock_time` will apply to them.
+# By default, the option is not set.
+# admin_group = <admin_group_name>