Skip to content

DLPX-86530 CIS: delphix user lockout after failed login attempts#564

Draft
rupalimatkar wants to merge 1 commit into
developfrom
dlpx/pr/rupalimatkar/9dee0c6b-b4ec-433f-86b3-94b5b7620cd4
Draft

DLPX-86530 CIS: delphix user lockout after failed login attempts#564
rupalimatkar wants to merge 1 commit into
developfrom
dlpx/pr/rupalimatkar/9dee0c6b-b4ec-433f-86b3-94b5b7620cd4

Conversation

@rupalimatkar
Copy link
Copy Markdown
Contributor

@rupalimatkar rupalimatkar commented May 25, 2026
edited
Loading

Background

CIS hardening — DLPX-86530. The appliance must lock out users after repeated
failed login attempts (`pam_faillock` in `common-auth` / `common-account`)
and reject password reuse (`pam_pwhistory` in `common-password`).

Solution

Three pam-auth-update profiles under `/usr/share/pam-configs/` shipped by the
`delphix-platform` package, plus a single `pam-auth-update --package` ansible
task to compose them in after the CRA enable:

Profile Priority Effect
`delphix-faillock-preauth` 1024 `auth required pam_faillock.so preauth …` at top of auth; `account required pam_faillock.so` (also resets tally on success)
`delphix-faillock-authcheck` 0 `auth [default=die] pam_faillock.so authfail …` at bottom of auth
`delphix-pwhistory` 1024 `password requisite pam_pwhistory.so remember=5 use_authtok` before pam_unix

Faillock parameters: `deny=5 unlock_time=900 onerr=fail audit silent`.
Pwhistory: `remember=5`.

All three profiles set `Default: yes` so they auto-enable on install.
pam-auth-update recalculates the `success=N` jumps and composes faillock
around whichever Primary auth module is active (`unix` on internal,
`challenge-response` on external), so the same change works for all variants.
The `account required pam_faillock.so` line handles counter reset on
successful auth — no separate `authsucc` is needed.

Testing Done

  • `appliance-build-orchestrator/pre-push` green on a build for an
    internal variant
  • `appliance-build-orchestrator/pre-push` green on a build for an
    external variant
  • Smoke test on built engine:
    • 5 failed `delphix` ssh logins → 6th attempt rejected even with right
      password
    • Wait `unlock_time=900s` → next login succeeds and tally cleared
    • Change `delphix` password to a previously-used one → rejected by
      pwhistory
    • Successful login mid-streak → tally cleared by `account required
      pam_faillock.so`
  • Verify `/etc/pam.d/common-auth` composition after CRA toggle on an
    external variant (faillock lines present, ordering correct)

@rupalimatkar rupalimatkar force-pushed the dlpx/pr/rupalimatkar/9dee0c6b-b4ec-433f-86b3-94b5b7620cd4 branch from 5802549 to 2f15fa7 Compare May 25, 2026 09:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rupalimatkar