The system must disable accounts after three consecutive unsuccessful SSH login attempts.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-40355	GEN000000-HPUX0210	SV-52335r1_rule	ECLO-1 ECLO-2	Medium

Description
Disabling accounts after a limited number of unsuccessful SSH login attempts improves protection against password guessing attacks.

STIG	Date
HP-UX 11.31 Security Technical Implementation Guide	2016-12-20

Details

Check Text ( C-46984r1_chk )
If the system is operating in Trusted Mode, this check is not applicable. For SMSE: The “UsePAM” attribute in the /opt/ssh/etc/sshd_config configuration file controls whether an account is locked after too many consecutive SSH authentication failures. The default “UsePAM” attribute setting is “no”. Verify the global setting for “UsePAM” is set to “yes”. # cat /opt/ssh/etc/sshd_config \| sed -e 's/^[ \t]*//' grep -v “#” \| grep “^UsePAM” If the /opt/ssh/etc/sshd_config configuration file attribute “UsePAM” is not set to “yes”, this is a finding.

Check Text ( C-46984r1_chk )

If the system is operating in Trusted Mode, this check is not applicable.

For SMSE:
The “UsePAM” attribute in the /opt/ssh/etc/sshd_config configuration file controls whether an account is locked after too many consecutive SSH authentication failures. The default “UsePAM” attribute setting is “no”. Verify the global setting for “UsePAM” is set to “yes”.
# cat /opt/ssh/etc/sshd_config | sed -e 's/^[ \t]*//' grep -v “#” | grep “^UsePAM”

If the /opt/ssh/etc/sshd_config configuration file attribute “UsePAM” is not set to “yes”, this is a finding.

Fix Text (F-45323r1_fix)
If the system is operating in Trusted Mode, no fix is required. For SMSE only: Edit the /opt/ssh/etc/sshd_config file and add/uncomment/update the “UsePAM” attribute. See the below example: UsePAM yes Save any change(s) before exiting the editor.