I have managed to configure /etc/security/faillock.conf with the values I want. In this case, it is 5 tries and defined a lockout count of 20 minutes.
After running “authselect enable-feature with-faillock”, I get the below error message.
No existing configuration detected.
I also checked that sssd is running but it says it is dead. Does sssd have to be running for faillock to be running? I also have no pam_faillock.so module in my conf files. Do I need to do some extra configs?
My system doesnt lockout after 5 failed logins.
Perhaps try doing:
authselect current
to see what profile is currently selected, and then for example if nothing is configured which is the default, perhaps set to the minimal profile:
authselect select minimal
and then after that enable the additional features. If you are using sssd then you may need to select the sssd profile instead of minimal.
What if malicious user can attack the login and lock you out?
No, sssd is not required and is not related to faillock.
You need to use:
authselect select minimal with-faillock
authselect apply-changes
After you can check /etc/pam.d for the pam_faillock.so references.
2 Likes
Thanks @iwalker
This is also a solution but seeing that I dont need SSSD, I voted @nazunalika solution because it makes it clear I do not need SSSD. So I will just bootstrap the service without SSSD and just use --force to overwrite the existing files.
Yeah I gave both options, either set to minimal or sssd depending on your requirements. But all OK, you can choose which one is your solution 
I have had success with the bootstrapping of the config files. However, after setting unlock_time = 1800 and deny = 5, I can see the deny counts with faillock --user . But when I run passwd -S the password status is still PS and not LK as expected.
Is there an extra config I need to do for authselect?
Extra observations:
-in /var/run/faillock/ I do see so it is locked supposedly.
-I also can login with while it is supposedly locked. So it seems like this is a symbolic lock than the strict lock I need to have.
Where did I go wrong?