From 7363a386f6303fca4f97f3e68a05e10324982a7d Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Thu, 2 Jan 2025 17:41:11 +0000
Subject: [PATCH 1/2] Implement rule 5.3.3.1.2 Ensure password unlock time is
 configured

---
 controls/cis_ubuntu2404.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index fbc438cf883..a328a634e53 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -1899,8 +1899,10 @@ controls:
     levels:
       - l1_server
       - l1_workstation
-    status: planned
-    notes: TODO. Rule does not seem to be implemented, nor does it map to any rules in ubuntu2204 profile.
+    status: automated
+    rules:
+      - var_accounts_passwords_pam_faillock_unlock_time=600
+      - accounts_passwords_pam_faillock_unlock_time
 
   - id: 5.3.3.1.3
     title: Ensure password failed attempts lockout includes root account (Automated)

From ed08bce5325ed17ac2cd44e771ad34d7a86d6009 Mon Sep 17 00:00:00 2001
From: Alan Moore <alan.moore@canonical.com>
Date: Wed, 8 Jan 2025 15:36:38 +0000
Subject: [PATCH 2/2] Align with benchmark value

---
 controls/cis_ubuntu2404.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/controls/cis_ubuntu2404.yml b/controls/cis_ubuntu2404.yml
index a328a634e53..596032e5d3f 100644
--- a/controls/cis_ubuntu2404.yml
+++ b/controls/cis_ubuntu2404.yml
@@ -1901,7 +1901,7 @@ controls:
       - l1_workstation
     status: automated
     rules:
-      - var_accounts_passwords_pam_faillock_unlock_time=600
+      - var_accounts_passwords_pam_faillock_unlock_time=900
       - accounts_passwords_pam_faillock_unlock_time
 
   - id: 5.3.3.1.3