Give ability to set our own root_unlock_time

[prestonSeaman2]

Feature Request or Enhancement

• Feature [x]
• Enhancement []

Summary of Request
It would be nice to be able to set a variable for our own root_unlock_time value.

Suggested Code
The changes would need to be added to RHEL-08-020014, RHEL-08-020015, RHEL-08-020016, RHEL-08-020018, RHEL-08-020020, RHEL-08-020022 tasks.

[uk-bolly]

Hi @prestonSeaman2

Thank you for raising this enhancement, could you provide more information please?
There is no root_unlock_time value that can be set that i am able to find.
I am assuming you are asking if you can set whether to lock out root or not?
If that is the case it is set in defaults/main.yml - rhel8stig_pam_faillock.fail_for_root
Which is also associated with rhel-08-020023. I am changing the value from true to match the value of the control number.

Please let us know if we have misunderstood your request?

many thanks

uk-bolly

[prestonSeaman2]

For the pam_faillock module configuration, we are requesting that a distinct lockout interval value be set for the root user, by explicitly setting root_unlock_time, as appropirate, in /etc/pam.d/system-auth, /etc/pam.d/system-auth, and /etc/security/faillock.conf. Per the pam_faillock documentation, if unspecified ,root_unlock_time defaults to unlock_time.

For example, we might want to configure pam_faillock so that the root account is still locked out after a certain number of failed login attempts, but not for as long as other users.

[uk-bolly]

hi @prestonSeaman2

I believe this issue has been addressed and merged?
I will close this, but feel free to reopen if you are still experiencing this problem.

many thanks

uk-bolly