PCI-DSS 8.1.7: Lockout duration minimum 30 minutes #400
Description
Implement and document
Implementation:
◦ Config: lockout_duration (default 1800 seconds = 30 min) in keystone/conf/security_compliance.py
◦ Logic: Time-based unlock in _is_account_locked() method
◦ Supports both timed lockouts and permanent disablement
During the password login process before checking the password time after last failed login attempt is checked against the configured time to check whether account is locked
delta = datetime.timedelta(seconds=lockout_duration)
last_failure = user_ref.local_user.failed_auth_at
if (last_failure + delta) > timeutils.utcnow():
return True
After success login the failed_auth_at is reset