lockout for failed password attempts is not working

[jayolinares]

Describe the Issue
As per task/play "5.5.2 | PATCH | Ensure lockout for failed password attempts is configured" a lockout policy is defined.

However, setting the values from /etc/security/faillock.conf is not enough.
We also need to configure PAM config files for the lockout to work.

There are many HowTo guides from the internet in regards to faillock implementation. Here's an example: https://www.golinuxcloud.com/pam-faillock-lock-user-account-linux/#Method-1_Lock_user_account_after_failed_login_attempts_by_manually_updating_pamd_configuration_files

Expected Behavior
Users should be locked out after X number of failed logins.

Actual Behavior
While the log file says that the user is locked, that's not really the case as the user is still able to login after putting in the correct password. Snippet below is from the secure log file.

Apr 14 16:34:58 localhost sshd[18715]: Failed password for brent from 192.168.92.1 port 50176 ssh2
Apr 14 16:35:01 localhost unix_chkpwd[18718]: password check failed for user (brent)
Apr 14 16:35:03 localhost sshd[18715]: Failed password for brent from 192.168.92.1 port 50176 ssh2
Apr 14 16:35:04 localhost unix_chkpwd[18720]: password check failed for user (brent)
Apr 14 16:35:04 localhost sshd[18715]: pam_faillock(sshd:auth): Consecutive login failures for user brent account **temporarily locked**
Apr 14 16:35:07 localhost sshd[18715]: Failed password for brent from 192.168.92.1 port 50176 ssh2
.
.
Apr 14 16:35:14 localhost sshd[18735]: **Accepted password** for brent from 192.168.92.1 port 50292 ssh2

Control(s) Affected
5.5.2 | PATCH | Ensure lockout for failed password attempts is configured

Environment (please complete the following information):

• branch being used: devel
• Ansible Version: 2.14

Possible Solution
Modify password-auth and system-auth PAM config files as per link above.

[jayolinares]

Will raise a PR to fix this issue.