Running cronjobs resets the faillock for the user that is running the cronjob.

Solution Verified - Updated 14 Jun 2024

Environment

Red Hat Enterprise Linux (RHEL) 7 and 8
crond
pam_faillock

Issue

Running cronjobs resets the failure counter of pam_faillock of that user that is running the cronjob

Resolution

The following adjustment should be used in environments where account locking should not affect cron jobs.

The pam_succeed_if line should be added prior to the pam_faillock line. crond is triggering /etc/pam.d/crond, the change needs to be implemented in for the account phase.

Note that the following modifications will skip faillock checking for all users of cron. Consideration should be given as to whether this is applicable for the given deployment or whether it only applies to system users (or some other requirement).

pam_faillock should not be placed in service-specific files unless all the ramifications of ignoring the rest of the normal account phase rules have been taken into consideration.

RHEL7

On RHEL7.2-7.6, in default deployments, /etc/pam.d/crond contains references to password-auth, so password-auth needs to be modified. The configuration on the actual system needs to be confirmed, as prior customizations from the default configs might be in place. The modification should be like this:
```
account     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
account     required      pam_faillock.so
```
On RHEL7.7-7.9, in default deployments, /etc/pam.d/crond contains references to system-auth, so system-auth needs to be modified. The configuration on the actual system needs to be confirmed, as prior customizations from the default configs might be in place. The modification should be like this:
```
account     [success=1 default=ignore] pam_succeed_if.so service in crond quiet
account     required      pam_faillock.so
```

RHEL8

On RHEL8, all minor releases, in default deployments, both /etc/pam.d/password-auth and /etc/pam.d/system-auth should be modified. The configuration on the actual system needs to be confirmed, as prior customizations from the default configs might be in place. The modifications for both files:

account     [success=1 default=ignore]                  pam_succeed_if.so service in crond:systemd-user
account     required                                     pam_faillock.so

Root Cause

When a cron job is executed, the pam stack is traversed. Once it reaches the account state, then pam_faillock unlocks the access. Thus we need a pam_suceed_if rule to skip the pam_faillock for automated services that skips password check.

Service crond and systemd-user are known to skip password check.

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

Category

Troubleshoot

Tags

cron

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.