DLPX-86530 CIS: delphix user lockout after failed login attempts

rupalimatkar · rupalimatkar · commit 2f15fa7ea3df · 2026-05-25T15:22:06.000+05:30
PR URL: https://www.github.com/delphix/delphix-platform/pull/564
diff --git a/files/common/usr/share/pam-configs/delphix-faillock-authcheck b/files/common/usr/share/pam-configs/delphix-faillock-authcheck
@@ -0,0 +1,8 @@
+Name: Delphix faillock failure counter
+Default: yes
+Priority: 0
+Auth-Type: Primary
+Auth:
+        [default=die]   pam_faillock.so authfail audit deny=5 unlock_time=900 onerr=fail
+Auth-Initial:
+        [default=die]   pam_faillock.so authfail audit deny=5 unlock_time=900 onerr=fail
diff --git a/files/common/usr/share/pam-configs/delphix-faillock-preauth b/files/common/usr/share/pam-configs/delphix-faillock-preauth
@@ -0,0 +1,13 @@
+Name: Delphix faillock account lockout (preauth)
+Default: yes
+Priority: 1024
+Auth-Type: Primary
+Auth:
+        required        pam_faillock.so preauth silent audit deny=5 unlock_time=900 onerr=fail
+Auth-Initial:
+        required        pam_faillock.so preauth silent audit deny=5 unlock_time=900 onerr=fail
+Account-Type: Primary
+Account:
+        required        pam_faillock.so
+Account-Initial:
+        required        pam_faillock.so
diff --git a/files/common/usr/share/pam-configs/delphix-pwhistory b/files/common/usr/share/pam-configs/delphix-pwhistory
@@ -0,0 +1,8 @@
+Name: Delphix password history
+Default: yes
+Priority: 1024
+Password-Type: Primary
+Password:
+        requisite       pam_pwhistory.so remember=5 use_authtok
+Password-Initial:
+        requisite       pam_pwhistory.so remember=5 use_authtok
diff --git a/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml b/files/common/var/lib/delphix-platform/ansible/10-delphix-platform/roles/delphix-platform/tasks/main.yml
@@ -503,6 +503,15 @@
   when:
     - variant is regex("external-.*")
 
+#
+# CIS hardening (DLPX-86530): account lockout on failed logins via pam_faillock
+# and password-reuse history via pam_pwhistory. The profile files dropped under
+# /usr/share/pam-configs/ are auto-enabled (Default: yes); this call composes
+# them into /etc/pam.d/common-{auth,account,password}. Runs after the CRA
+# enable above so both stacks compose consistently.
+#
+- command: /usr/sbin/pam-auth-update --package
+
 #
 # Increase login timeout to give support more time to interact with CRA via the console.
 #
