UCF STIG Viewer Logo
Changes are coming to https://stigviewer.com. Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey

The Ubuntu operating system must automatically lock an account until the locked account is released by an administrator when three unsuccessful logon attempts.


Overview

Finding ID Version Rule ID IA Controls Severity
V-100569 UBTU-18-010039 SV-109673r1_rule Low
Description
By limiting the number of failed logon attempts, the risk of unauthorized system access via user password guessing, otherwise known as brute-forcing, is reduced. Limits are imposed by locking the account.
STIG Date
Canonical Ubuntu 18.04 LTS Security Technical Implementation Guide 2020-05-29

Details

Check Text ( C-99427r2_chk )
Check that Ubuntu operating system locks an account after three unsuccessful login attempts with the following:

# grep pam_tally2 /etc/pam.d/common-auth

auth required pam_tally2.so onerr=fail deny=3

If the command above does not return a pam_tally2.so line with both onerr=fail and deny=3 parameters, this is a finding.
Fix Text (F-106255r2_fix)
Configure the Ubuntu operating system to lock an account after three unsuccessful login attempts.

Edit the /etc/pam.d/common-auth file and add the following line:

auth required pam_tally2.so onerr=fail deny=3