Changes are coming to https://stigviewer.com.
Take our survey to help us understand your usage and how we can better serve you in the future.
Take Survey
The system must disable accounts after three consecutive unsuccessful login attempts.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
|---|---|---|---|---|
| V-766 | GEN000460 | SV-37203r1_rule | ECLO-1 ECLO-2 | Medium |
| Description |
|---|
| Disabling accounts after a limited number of unsuccessful login attempts improves protection against password guessing attacks. |
| STIG | Date |
|---|---|
| Red Hat Enterprise Linux 5 Security Technical Implementation Guide | 2014-01-09 |
Details
| Check Text ( C-35895r1_chk ) |
|---|
| Check the pam_tally configuration. # more /etc/pam.d/system-auth Confirm the following line is configured, before any "auth sufficient" lines: auth required pam_tally2.so deny=3 If no such line is found, this is a finding. |
| Fix Text (F-31153r1_fix) |
|---|
| By default link /etc/pam.d/system-auth points to /etc/pam.d/system-auth-ac which is the file maintained by the authconfig utility. In order to add pam options other than those available via the utility create /etc/pam.d/system-auth-local with the options and including system-auth-ac. In order to set the account lockout to three failed attempts the content should be similar to: auth required pam_access.so auth required pam_tally2.so deny=3 auth include system-auth-ac account required pam_tally2.so account include system-auth-ac password include system-auth-ac session include system-auth-ac Once system-auth-local is written reset the /etc/pam.d/system-auth to point to system-auth-local. This is necessary because authconfig writes directly to system-auth-ac so any changes made by hand will be lost if authconfig is run. |