From 9ee18acd49cfc3d0746a2e56e7c9ed2553c13176 Mon Sep 17 00:00:00 2001 From: Frank Brehm Date: Mon, 24 May 2021 23:43:56 +0200 Subject: [PATCH] committing changes in /etc made by "/usr/bin/apt full-upgrade -y" Package changes: -fonts-noto-color-emoji 0~20200408-1 all +fonts-noto-color-emoji 0~20200916-1~ubuntu20.04.1 all -gnome-disk-utility 3.36.1-1ubuntu1 amd64 +gnome-disk-utility 3.36.3-0ubuntu1 amd64 -libpam-modules 1.3.1-5ubuntu4.1 amd64 -libpam-modules-bin 1.3.1-5ubuntu4.1 amd64 -libpam-runtime 1.3.1-5ubuntu4.1 all +libpam-modules 1.3.1-5ubuntu4.2 amd64 +libpam-modules-bin 1.3.1-5ubuntu4.2 amd64 +libpam-runtime 1.3.1-5ubuntu4.2 all -libpam0g 1.3.1-5ubuntu4.1 amd64 +libpam0g 1.3.1-5ubuntu4.2 amd64 -python3-distupgrade 1:20.04.32 all +python3-distupgrade 1:20.04.33 all -ubuntu-release-upgrader-core 1:20.04.32 all +ubuntu-release-upgrader-core 1:20.04.33 all --- .etckeeper | 1 + security/faillock.conf | 62 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 63 insertions(+) create mode 100644 security/faillock.conf diff --git a/.etckeeper b/.etckeeper index 9994479..c57a1ed 100755 --- a/.etckeeper +++ b/.etckeeper @@ -2792,6 +2792,7 @@ maybe chmod 0644 'screenrc' maybe chmod 0755 'security' maybe chmod 0644 'security/access.conf' maybe chmod 0644 'security/capability.conf' +maybe chmod 0644 'security/faillock.conf' maybe chmod 0644 'security/group.conf' maybe chmod 0644 'security/limits.conf' maybe chmod 0755 'security/limits.d' diff --git a/security/faillock.conf b/security/faillock.conf new file mode 100644 index 0000000..16d93df --- /dev/null +++ b/security/faillock.conf @@ -0,0 +1,62 @@ +# Configuration for locking the user after multiple failed +# authentication attempts. +# +# The directory where the user files with the failure records are kept. +# The default is /var/run/faillock. +# dir = /var/run/faillock +# +# Will log the user name into the system log if the user is not found. +# Enabled if option is present. +# audit +# +# Don't print informative messages. +# Enabled if option is present. +# silent +# +# Don't log informative messages via syslog. +# Enabled if option is present. +# no_log_info +# +# Only track failed user authentications attempts for local users +# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users. +# The `faillock` command will also no longer track user failed +# authentication attempts. Enabling this option will prevent a +# double-lockout scenario where a user is locked out locally and +# in the centralized mechanism. +# Enabled if option is present. +# local_users_only +# +# Deny access if the number of consecutive authentication failures +# for this user during the recent interval exceeds n tries. +# The default is 3. +# deny = 3 +# +# The length of the interval during which the consecutive +# authentication failures must happen for the user account +# lock out is n seconds. +# The default is 900 (15 minutes). +# fail_interval = 900 +# +# The access will be re-enabled after n seconds after the lock out. +# The value 0 has the same meaning as value `never` - the access +# will not be re-enabled without resetting the faillock +# entries by the `faillock` command. +# The default is 600 (10 minutes). +# unlock_time = 600 +# +# Root account can become locked as well as regular accounts. +# Enabled if option is present. +# even_deny_root +# +# This option implies the `even_deny_root` option. +# Allow access after n seconds to root account after the +# account is locked. In case the option is not specified +# the value is the same as of the `unlock_time` option. +# root_unlock_time = 900 +# +# If a group name is specified with this option, members +# of the group will be handled by this module the same as +# the root account (the options `even_deny_root>` and +# `root_unlock_time` will apply to them. +# By default, the option is not set. +# admin_group = -- 2.39.5