Avoid faillock lock/tally reset on reboot or timeout

2024-12-22 15:33:36 +07:00 · 2024-10-19 23:49:07 -05:00 · 2024-10-19 23:49:07 -05:00 · 690e8dd826
commit 690e8dd826
parent b6433309fd
6 changed files with 37 additions and 17 deletions
--- a/debian/security-misc.postinst
+++ b/debian/security-misc.postinst
@ -52,6 +52,9 @@ case "$1" in

        ## /usr/share/glib-2.0/schemas/30_security-misc.gschema.override
        glib-compile-schemas /usr/share/glib-2.0/schemas || true
+
+        ## state dir for faillock
+        mkdir -p /var/lib/security-misc/faillock
    ;;

    abort-upgrade|abort-remove|abort-deconfigure)
--- a/etc/security/faillock.conf.security-misc
+++ b/etc/security/faillock.conf.security-misc
@ -6,7 +6,7 @@
 #
 # The directory where the user files with the failure records are kept.
 # The default is /var/run/faillock.
-# dir = /var/run/faillock
+dir = /var/lib/security-misc/faillock
 #
 # Will log the user name into the system log if the user is not found.
 # Enabled if option is present.
@ -38,14 +38,19 @@ deny = 50
 # authentication failures must happen for the user account
 # lock out is <replaceable>n</replaceable> seconds.
 # The default is 900 (15 minutes).
-# fail_interval = 900
+# security-misc note: the interval should be set to infinity if possible,
+# however pam_faillock arbitrarily limits this variable to a maximum of 604800
+# seconds (7 days). See
+# https://github.com/linux-pam/linux-pam/blob/539816e4a0a277dbb632412be91e482fff9d9d09/modules/pam_faillock/faillock_config.h#L59
+# for details. Therefore we set this to the maximum allowable value of 7 days.
+fail_interval = 604800
 #
 # The access will be re-enabled after n seconds after the lock out.
 # The value 0 has the same meaning as value `never` - the access
 # will not be re-enabled without resetting the faillock
 # entries by the `faillock` command.
 # The default is 600 (10 minutes).
-# unlock_time = 600
+unlock_time = never
 #
 # Root account can become locked as well as regular accounts.
 # Enabled if option is present.
--- a/usr/libexec/security-misc/pam-info
+++ b/usr/libexec/security-misc/pam-info
@ -21,6 +21,9 @@ true "$0: START PHASE 2"

 set -o pipefail

+## Named constants.
+pam_faillock_state_dir="/var/lib/security-misc/faillock"
+
 ## Debugging.
 who_ami="$(whoami)"
 true "$0: who_ami: $who_ami"
@ -102,7 +105,7 @@ fi
 ##
 ## Checking exit code to avoid breaking when read-only disk boot but
 ## without ro-mode-init or grub-live being used.
-if ! pam_faillock_output="$(faillock --user -- "$PAM_USER")" ; then
+if ! pam_faillock_output="$(faillock --dir "$pam_faillock_state_dir" --user "$PAM_USER")" ; then
   true "$0: faillock non-zero exit code."
   exit 0
 fi
--- a/usr/share/pam-configs/faillock-preauth-security-misc
+++ b/usr/share/pam-configs/faillock-preauth-security-misc
@ -1,11 +1,8 @@
-Name: lock accounts after 50 failed authentication attempts (part 1) (by package security-misc)
+Name: lock accounts after 50 failed authentication attempts (preauth component) (by package security-misc)
 Default: yes
-Priority: 290
+Priority: 1024
 Auth-Type: Primary
 Auth:
 	optional	pam_exec.so	debug stdout seteuid /usr/libexec/security-misc/pam-info
 	[success=1 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x
 	required	pam_faillock.so preauth
-Account-Type: Primary
-Account:
-	requisite	pam_faillock.so
--- a/usr/share/pam-configs/faillock2-security-misc
+++ b/usr/share/pam-configs/faillock2-security-misc
@ -1,8 +0,0 @@
-Name: lock accounts after 50 failed authentication attempts (part 2) (by package security-misc)
-Default: yes
-Priority: 245
-Auth-Type: Primary
-Auth:
-	[success=2 default=ignore]	pam_exec.so	seteuid quiet /usr/libexec/security-misc/pam_faillock_not_if_x
-	[default=die]  pam_faillock.so authfail
-	sufficient     pam_faillock.so authsucc
--- a/usr/share/pam-configs/unix-faillock-security-misc
+++ b/usr/share/pam-configs/unix-faillock-security-misc
@ -0,0 +1,20 @@
+Name: Unix authentication with faillock (by package security-misc)
+Default: yes
+Priority: 384
+Auth-Type: Primary
+Auth:
+	[success=3 default=ignore]	pam_unix.so nullok	try_first_pass
+	[success=1 default=ignore]	pam_exec.so	seteuid	quiet	/usr/libexec/security-misc/pam_faillock_not_if_x
+	[default=die]	pam_faillock.so	authfail
+	requisite	pam_deny.so
+	[success=1 default=ignore]	pam_exec.so	seteuid	quiet	/usr/libexec/security-misc/pam_faillock_not_if_x
+	optional	pam_faillock.so	authsucc
+	required	pam_permit.so
+Auth-Initial:
+	[success=3 default=ignore]	pam_unix.so nullok
+	[success=1 default=ignore]	pam_exec.so	seteuid	quiet	/usr/libexec/security-misc/pam_faillock_not_if_x
+	[default=die]	pam_faillock.so	authfail
+	requisite	pam_deny.so
+	[success=1 default=ignore]	pam_exec.so	seteuid	quiet	/usr/libexec/security-misc/pam_faillock_not_if_x
+	optional	pam_faillock.so	authsucc
+	required	pam_permit.so