Finding ID | Version | Rule ID | IA Controls | Severity |
---|---|---|---|---|
V-766 | GEN000460 | SV-63383r1_rule | Medium |
Description |
---|
Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
STIG | Date |
---|---|
Oracle Linux 5 Security Technical Implementation Guide | 2017-03-01 |
Check Text ( C-52095r1_chk ) |
---|
Check the pam_tally configuration. # more /etc/pam.d/system-auth Confirm the following line is configured, before any "auth sufficient" lines: auth required pam_tally2.so deny=3 If no such line is found, this is a finding. |
Fix Text (F-53983r1_fix) |
---|
By default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create /etc/pam.d/system-auth-local with the options and including system-auth-ac. In order to set the account lockout to three failed attempts the content should be similar to: auth required pam_access.so auth required pam_tally2.so deny=3 auth include system-auth-ac account required pam_tally2.so account include system-auth-ac password include system-auth-ac session include system-auth-ac Once system-auth-local is written reset the /etc/pam.d/system-auth to point to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any changes made by hand will be lost if authconfig is run. |