Share via

How to remediate "Ensure lockout for failed password attempts is configured (CIS: L1 - Server - 5.3.2)" in Azure VM

Phan Dai Duong 20 Reputation points
2026-03-14T05:50:47.3733333+00:00

I'm using Azure VM with Ubuntu 24.04 LTS and want to fix the issue "Ensure lockout for failed password attempts is configured (CIS: L1 - Server - 5.3.2)" produced by Guest Extension in Azure.
I have done some research and end up with modifying the file /etc/pam.d/common-auth like below

# here are the per-package modules (the "Primary" block)
auth    required            pam_faillock.so preauth audit deny=3 unlock_time=20
auth    [success=3 ignore=ignore default=die]  pam_aad.so
auth    [success=2 default=ignore]      pam_unix.so nullok try_first_pass
# here's the fallback if no module succeeds
auth    [default=die]           pam_faillock.so authfail audit deny=3 unlock_time=20
auth    sufficient              pam_faillock.so authsucc audit deny=3 unlock_time=20
auth    requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
auth    required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth    optional                        pam_cap.so
# end of pam-auth-update config

I created a test user, tried to login with the wrong password 3 times and the lockout process happened successfully.

The problem is that the rule still remains "Non-compliant" in the Azure Portal with reason " Neither pam_faillock.so, pam_tally2.so or pam_tally.so PAM modules exist for this distribution. Manually set lockout for failed password attempts following specific instructions for this distrubution. Automatic remediation is not possible".

Hope that anyone can help me with this to increase the security score of the subscription.

Azure Policy
Azure Policy

An Azure service that is used to implement corporate governance and standards at scale for Azure resources.

Answer accepted by question author
  1. Suchitra Suregaunkar 11,395 Reputation points Microsoft External Staff Moderator
    2026-04-01T18:29:05.28+00:00

    Hello @Phan Dai Duong Thank you for posting your query on Microsoft Q&A platform.

    This is not a configuration issue on the VM. It is a known limitation of Azure Machine Configuration (Guest Configuration) for Linux, specifically for Ubuntu 24.04 LTS.

    The Azure policy “Ensure lockout for failed password attempts is configured (CIS: L1 – Server – 5.3.2)” is evaluated using a generic Linux CIS baseline in Azure Machine Configuration.

    For Ubuntu / Debian-based distributions, the policy logic expects legacy PAM modules such as:

    • pam_tally.so
    • pam_tally2.so

    However:

    • Ubuntu 24.04 LTS no longer uses pam_tally or pam_tally2
    • Canonical has deprecated these modules and replaced them with pam_faillock
    • Even when pam_faillock is correctly installed, configured, and working, Azure Machine Configuration does not detect it for this CIS control

    As a result, the Guest Configuration extension reports the VM as Non-compliant, with the message: “Neither pam_faillock.so, pam_tally2.so or pam_tally.so PAM modules exist for this distribution. Manually set lockout for failed password attempts following specific instructions for this distribution. Automatic remediation is not possible.”

    This message reflects the current policy detection logic, not the actual security state of the VM.

    Microsoft confirms that some CIS controls cannot be automatically validated or remediated and require manual verification, depending on the OS and baseline logic used by Guest Configuration.

    Reference: https://learn.microsoft.com/en-us/azure/virtual-machines/extensions/guest-configuration?tabs=portal

    • Your configuration using pam_faillock is correct and effective on Ubuntu 24.04.
    • The user account lockout working after failed login attempts confirms that the CIS requirement is functionally met.
    • The non‑compliance status in Azure is a false negative, caused by unsupported detection for Ubuntu 24.04, not by misconfiguration.

    Guest Configuration policies use predefined, static checks and do not dynamically adapt to distribution-specific security mechanisms.

    As of today there is no Microsoft-supported remediation that will make this control show Compliant for Ubuntu 24.04 using pam_faillock

    Installing deprecated modules (pam_tally / pam_tally2) is not supported on Ubuntu 24.04 and not recommended

    Microsoft only supports Manual validation or Policy exemption / suppression, or Custom Guest Configuration policy

    For controls like this where automatic validation is not supported:

    • Treat the finding as Manual / Platform limitation
    • Document the configuration and justification
    • Optionally apply a policy exemption if it affects Secure Score reporting

    Ubuntu official documentation for pam_faillock (supported mechanism in modern Ubuntu) https://manpages.ubuntu.com/manpages/noble/man8/pam_faillock.8.html [manpages.ubuntu.com]

    Thanks,

    Suchitra.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-03-14T05:51:03.8866667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Guest Configuration for the CIS control “Ensure lockout for failed password attempts is configured (CIS: L1 - Server - 5.3.2)” evaluates the OS using a generic Linux baseline, not the custom configuration that was added.

    According to the Linux security baseline, the expected remediation pattern for this control on Ubuntu/Debian is to “add the pam_tally and pam_deny modules as appropriate.” The compliance text explicitly states that for Ubuntu and Debian, the check is based on pam_tally/pam_deny, and that for other distributions, distro-specific guidance must be followed.

    Because Ubuntu 24.04 LTS in AKS and CIS guidance now use pam_faillock, but the Guest Configuration baseline still documents pam_tally/pam_deny for this control, the following occurs:

    1. The local configuration with pam_faillock in /etc/pam.d/common-auth correctly enforces lockout and is functionally secure.
    2. The Guest Configuration policy definition, however, is not written to recognize this pattern on Ubuntu 24.04 and therefore reports:
      • “Neither pam_faillock.so, pam_tally2.so or pam_tally.so PAM modules exist for this distribution. Manually set lockout for failed password attempts following specific instructions for this distribution. Automatic remediation is not possible.”
    3. As a result, the VM remains Non-compliant in Azure Policy even though the lockout is working.

    From the available documentation, only the following is supported:

    • For the Linux security baseline control “Ensure lockout for failed password attempts is configured (CIS: L1 - Server - 5.3.2)”, the remediation check is defined as:
      • “for Ubuntu and Debian, add the pam_tally and pam_deny modules as appropriate. For all other distros, refer to your distro's documentation.”

    Given this, there are two practical options within the constraints of the current Guest Configuration content:

    1. Accept that the VM is technically compliant (using pam_faillock) but will remain Non-compliant in Azure Policy until the policy/guest configuration package is updated to understand Ubuntu 24.04’s pam_faillock-based configuration.
    2. Align the configuration with the documented remediation pattern (pam_tally + pam_deny) for Ubuntu/Debian so that it matches what the Guest Configuration baseline is checking for. This may require reverting or adjusting the current pam_faillock configuration and carefully testing authentication behavior.

    The behavior seen in the portal (Non-compliant with the specific message about pam_faillock/pam_tally) is therefore expected with the current Guest Configuration content and does not indicate that the lockout is misconfigured, only that the policy cannot automatically validate the chosen implementation on Ubuntu 24.04.

    References:

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.