From 0a04e6ec696fa0ecde11f67f342b70a498274f9c Mon Sep 17 00:00:00 2001
From: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
Date: Wed, 22 Jan 2025 09:11:13 -0300
Subject: [PATCH] Change unlock time to 15 min and enforce for root

CIS Benchmark requirement 5.3.3.1 mandates that the unlock time for
accounts after failed login attempts be set to at least 15 minutes and
that it also applies to the root user.

This commit increases the unlock time from 5 minutes (300 seconds) to 15
minutes (900 seconds) and adds the `even_deny_root` option to apply this
policy to the root user.

Test Plan:
PASS: Run build-pkgs -c -p pam-config.
PASS: Run build-image.
PASS: Run fresh install of AIO-SX with complete bootstrap and unlock of
      the controller-0.
PASS: Run fresh install of DX + 2 workers with complete bootstrap and
      unlock of all the controllers and workers.
PASS: Lock the root account by failing to login 5 times and check if the
      account is locked for 15 minutes.
PASS: Run backup and restore and check the changes persist.

Story: 2011283
Task: 51588

Change-Id: I2f611c025317557c9194785bfb1ea190a9453604
Signed-off-by: Rodrigo Tavares <Rodrigo.DosSantosTavares@windriver.com>
---
 pam-config/source-debian/faillock.conf | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pam-config/source-debian/faillock.conf b/pam-config/source-debian/faillock.conf
index 4df0b4e..11ee259 100644
--- a/pam-config/source-debian/faillock.conf
+++ b/pam-config/source-debian/faillock.conf
@@ -1,2 +1,3 @@
 deny = 5
-unlock_time = 300
+unlock_time = 900
+even_deny_root