Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-40355 | GEN000000-HPUX0210 | SV-52335r1_rule | ECLO-1 ECLO-2 | Medium |
Description |
---|
Disabling accounts after a limited number of unsuccessful SSH login attempts improves protection against password guessing attacks. |
STIG | Date |
---|---|
HP-UX SMSE Security Technical Implementation Guide | 2014-02-28 |
Check Text ( C-46984r1_chk ) |
---|
If the system is operating in Trusted Mode, this check is not applicable. For SMSE: The “UsePAM” attribute in the /opt/ssh/etc/sshd_config configuration file controls whether an account is locked after too many consecutive SSH authentication failures. The default “UsePAM” attribute setting is “no”. Verify the global setting for “UsePAM” is set to “yes”. # cat /opt/ssh/etc/sshd_config | sed -e 's/^[ \t]*//' grep -v “#” | grep “^UsePAM” If the /opt/ssh/etc/sshd_config configuration file attribute “UsePAM” is not set to “yes”, this is a finding. |
Fix Text (F-45323r1_fix) |
---|
If the system is operating in Trusted Mode, no fix is required. For SMSE only: Edit the /opt/ssh/etc/sshd_config file and add/uncomment/update the “UsePAM” attribute. See the below example: UsePAM yes Save any change(s) before exiting the editor. |